Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520517
MD5:	55ad212ef14e1d3a99251ba84d4c3497
SHA1:	5f7127f6f859cae4b9d19f700196cb207a6ddd87
SHA256:	c4ef6abb3459faf2b1c99b9ebdb68e27bda102f71df30c1e773bf737cc2d9f33
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 8108 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 55AD212EF14E1D3A99251BA84D4C3497)

chrome.exe (PID: 8164 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 1516 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 9176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 9184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 505sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_108.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_108.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_111.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_108.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_103.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_111.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_111.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_108.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_103.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_108.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_103.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_103.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_111.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_108.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_103.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_108.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_111.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_108.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_103.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_111.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_103.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_103.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.2555559849.0000000004414000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2555559849.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2553358829.0000000001916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000002.2555559849.00000000043EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd?
Source: file.exe, 00000000.00000002.2555559849.0000000004414000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdc
Source: file.exe, 00000000.00000002.2553358829.0000000001916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdcess
Source: file.exe, 00000000.00000002.2553358829.0000000001916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdntries
Source: chromecache_103.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.10:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49753 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D1EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D1ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00D1EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D0AA57

Source: file.exe, 00000000.00000002.2555092274.0000000003FD4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICESoT

memstr_fdca64fa-d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D39576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1297771519.0000000000D62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_08e02dba-a
Source: file.exe, 00000000.00000000.1297771519.0000000000D62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8f5aaccc-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a82ccfc6-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7e1f1e85-3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D0D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D01201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D0E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D12046	0_2_00D12046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA8060	0_2_00CA8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D08298	0_2_00D08298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDE4FF	0_2_00CDE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD676B	0_2_00CD676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D34873	0_2_00D34873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CACAF0	0_2_00CACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCCAA0	0_2_00CCCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCC39	0_2_00CBCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD6DD9	0_2_00CD6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA91C0	0_2_00CA91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBB119	0_2_00CBB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1394	0_2_00CC1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1706	0_2_00CC1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC781B	0_2_00CC781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC19B0	0_2_00CC19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB997D	0_2_00CB997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA7920	0_2_00CA7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC7A4A	0_2_00CC7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC7CA7	0_2_00CC7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1C77	0_2_00CC1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD9EEE	0_2_00CD9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2BE44	0_2_00D2BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1F32	0_2_00CC1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CBF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CA9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CC0A30 appears 46 times

Source: file.exe, 00000000.00000002.2554740468.0000000003EB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildtr Gd vs file.exe
Source: file.exe, 00000000.00000002.2554740468.0000000003EB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuildulong vs file.exe
Source: file.exe, 00000000.00000002.2552629627.0000000001638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs file.exe
Source: file.exe, 00000000.00000002.2552629627.0000000001638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEA# vs file.exe
Source: file.exe, 00000000.00000002.2552629627.0000000001638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTF8X# vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@37/40@21/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D137B5 GetLastError,FormatMessageW,

0_2_00D137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D010BF AdjustTokenPrivileges,CloseHandle,		0_2_00D010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D2A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D1648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CA42A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1167360 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF668E push ss; retf	0_2_00CF668F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF6686 push ss; retf	0_2_00CF6687
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF6682 push ss; retf	0_2_00CF6683
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC0A76 push ecx; ret	0_2_00CC0A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF4CE6 push 0000003Eh; iretd	0_2_00CF4CE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAD01B push cs; iretd	0_2_00CAD01E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1199 push cs; retf	0_2_00CB119A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB119C push cs; retf	0_2_00CB11A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB124F pushad ; iretd	0_2_00CB1252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB124D pushad ; iretd	0_2_00CB124E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1247 pushad ; iretd	0_2_00CB124A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB125F pushad ; iretd	0_2_00CB1262
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1253 pushad ; iretd	0_2_00CB1256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1263 pushad ; iretd	0_2_00CB1266
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF56D8 push eax; iretd	0_2_00CF56DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF56E9 push esp; iretd	0_2_00CF56EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF57E4 push ebx; iretd	0_2_00CF57FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF57E1 push ebx; iretd	0_2_00CF57E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF57FC push esi; iretd	0_2_00CF5802
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1788 push ss; iretd	0_2_00CF1789
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF5788 push eax; iretd	0_2_00CF578A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF179F push ss; iretd	0_2_00CF17A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF5799 push esp; iretd	0_2_00CF579A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1797 push ss; iretd	0_2_00CF179D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF17AC push ss; iretd	0_2_00CF17AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF17A8 push ss; iretd	0_2_00CF17A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF17A3 push ss; iretd	0_2_00CF17A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF57B8 push ebx; iretd	0_2_00CF57CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF57B5 push ebx; iretd	0_2_00CF57B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF17B0 push ss; iretd	0_2_00CF17B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF5741 push esp; iretd	0_2_00CF5742

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CBF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D31C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97135

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6607

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\file.exe TID: 8112

Thread sleep time: -66070s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6607 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D0DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDC2A2 FindFirstFileExW,	0_2_00CDC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D168EE FindFirstFileW,FindClose,	0_2_00D168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D1698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D19642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D19B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D15C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D15C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: file.exe, 00000000.00000002.2555429358.0000000004079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\^
Source: file.exe, 00000000.00000002.2555429358.0000000004079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-97284

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1EAA2 BlockInput,

0_2_00D1EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CD2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00CC4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D00B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CC083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC09D5 SetUnhandledExceptionFilter,	0_2_00CC09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CC0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00D01201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CE2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0B226 SendInput,keybd_event,

0_2_00D0B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D222DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00D00B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D01663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC0698 cpuid

0_2_00CC0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D18195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFD27A GetUserNameW,

0_2_00CFD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00CDB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8
Source: file.exe, 00000000.00000002.2552779065.0000000001722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XPv

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D21204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D21806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	31 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.184.206	true	false	unknown
www3.l.google.com	216.58.206.46	true	false	unknown
play.google.com	142.250.181.238	true	false	unknown
www.google.com	142.250.184.196	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false		unknown
https://www.google.com/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_103.4.dr	false		unknown
https://families.google.com/intl/	chromecache_103.4.dr	false		unknown
https://youtube.com/t/terms?gl=	chromecache_103.4.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_103.4.dr	false		unknown
https://www.google.com/intl/	chromecache_103.4.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_111.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_103.4.dr	false		unknown
https://play.google.com/work/enroll?identifier=	chromecache_108.4.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_103.4.dr	false		unknown
https://g.co/recover	chromecache_108.4.dr	false		unknown
https://policies.google.com/privacy/additional	chromecache_103.4.dr	false		unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_108.4.dr	false		unknown
https://policies.google.com/technologies/cookies	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_111.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_108.4.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_103.4.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_103.4.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_108.4.dr	false		unknown
https://policies.google.com/terms/location	chromecache_103.4.dr	false		unknown
https://policies.google.com/privacy	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_103.4.dr	false		unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_108.4.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
216.58.206.46	www3.l.google.com	United States	15169	GOOGLEUS	false
172.217.23.110	unknown	United States	15169	GOOGLEUS	false
142.250.181.238	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.206	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.10

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520517
Start date and time:	2024-09-27 12:53:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@37/40@21/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 44 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.184.238, 64.233.167.84, 34.104.35.123, 142.250.186.138, 142.250.186.170, 142.250.185.234, 142.250.184.202, 142.250.185.74, 142.250.185.138, 142.250.186.74, 216.58.206.42, 142.250.185.170, 172.217.18.106, 142.250.181.234, 142.250.185.106, 142.250.184.234, 142.250.185.202, 172.217.23.106, 216.58.212.138, 142.250.184.195, 142.250.186.131, 172.217.16.138, 216.58.212.170, 216.58.206.74, 88.221.110.91, 142.250.185.227, 64.233.166.84, 74.125.71.84, 108.177.15.84
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	ATT71725.html	Get hash	malicious	HTMLPhisher	Browse
	https://metapolicyreview.com/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Payment Notification.msg	Get hash	malicious	Unknown	Browse
	https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiNjE3MmQyMzMtODcyNy00M2NhLWI1NjQtYjgwZDUyZjYxYmVjIiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyODYzODEyMCwibmJmIjoxNzI3NDI4NTIwLCJpYXQiOjE3Mjc0Mjg1MjAsImp0aSI6IjYxNzJkMjMzLTg3MjctNDNjYS1iNTY0LWI4MGQ1MmY2MWJlYyIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI2ZWRlMzFjZS00Mzc2LTQwYzItYjJjNy1jMDc2Y2M3MjY4NjIiLCJzaWduX3JlcXVlc3RfaWQiOiI2MTcyZDIzMy04NzI3LTQzY2EtYjU2NC1iODBkNTJmNjFiZWMiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImNoYW8ud3VAd3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiY2hhby53dUB3cmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImNoYW8ud3VAd3JpLm9yZyJ9fQ.UX67GiHBKgjV8XyH-SFTt_KgB2I_q2j9cbGTSqbzRvY&eid=6ede31ce-4376-40c2-b2c7-c076cc726862&esrt=6172d233-8727-43ca-b564-b80d52f61bec	Get hash	malicious	Unknown	Browse
	Aisha C. Yetman shared you a document..msg	Get hash	malicious	Unknown	Browse
	https://adclick.g.doubleclick.net/pcs/click?xai=AKAOjsulL2bcqZSGb5TVbFOhW-BzJJtb8_QJJBgbE1zqe78Ie8BMxsNyhIFwdKd0pdA90RMhgTdSzkU9EZ9vbhoKh9hWuvNOpIawTAXoH5R0ak3U5rG_o-sZZz3gEiDRvTxtIDu5LY0qOySZABWrjrj9OfeDXHmC1qe7sBrjM2U90kovZKuuD34ZvXQ_OD2Hq--rkZwnu_VhQVAySwVh2ojndP52NUX9X40zwPfUt6TCc4F2rNspoMzray6vSBsFLXUX7nVDHqqILMYBWJr9fSc6AC0-g4meRNvX0rdEgcGztZ5SXk2Zbb1UlFLMFg&sai=AMfl-YQ851Qqa8i013PHKiB6TgTZ-QzfEpO1vcyiniBLSOaNAv3siIC9L9LV3aRq_nbn81w6wFB7OvNqhOdGvo-t7Q&sig=Cg0ArKJSzNuc_g1R_f21EAE&fbs_aeid=&urlfix=1&adurl=https://t.events.caixabank.com/r/?id=h665ab089,6dc7f7ae,f89fd96&p1=d70r46aqireop.cloudfront.net%23QZ~MamRpYXpAZXZlcnNoZWRzLXN1dGhlcmxhbmQuZXM=	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	8y4qT1eVpi.exe	Get hash	malicious	Amadey, Stealc	Browse
	https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.html	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://metapolicyreview.com/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiNjE3MmQyMzMtODcyNy00M2NhLWI1NjQtYjgwZDUyZjYxYmVjIiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyODYzODEyMCwibmJmIjoxNzI3NDI4NTIwLCJpYXQiOjE3Mjc0Mjg1MjAsImp0aSI6IjYxNzJkMjMzLTg3MjctNDNjYS1iNTY0LWI4MGQ1MmY2MWJlYyIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI2ZWRlMzFjZS00Mzc2LTQwYzItYjJjNy1jMDc2Y2M3MjY4NjIiLCJzaWduX3JlcXVlc3RfaWQiOiI2MTcyZDIzMy04NzI3LTQzY2EtYjU2NC1iODBkNTJmNjFiZWMiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImNoYW8ud3VAd3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiY2hhby53dUB3cmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImNoYW8ud3VAd3JpLm9yZyJ9fQ.UX67GiHBKgjV8XyH-SFTt_KgB2I_q2j9cbGTSqbzRvY&eid=6ede31ce-4376-40c2-b2c7-c076cc726862&esrt=6172d233-8727-43ca-b564-b80d52f61bec	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	https://adclick.g.doubleclick.net/pcs/click?xai=AKAOjsulL2bcqZSGb5TVbFOhW-BzJJtb8_QJJBgbE1zqe78Ie8BMxsNyhIFwdKd0pdA90RMhgTdSzkU9EZ9vbhoKh9hWuvNOpIawTAXoH5R0ak3U5rG_o-sZZz3gEiDRvTxtIDu5LY0qOySZABWrjrj9OfeDXHmC1qe7sBrjM2U90kovZKuuD34ZvXQ_OD2Hq--rkZwnu_VhQVAySwVh2ojndP52NUX9X40zwPfUt6TCc4F2rNspoMzray6vSBsFLXUX7nVDHqqILMYBWJr9fSc6AC0-g4meRNvX0rdEgcGztZ5SXk2Zbb1UlFLMFg&sai=AMfl-YQ851Qqa8i013PHKiB6TgTZ-QzfEpO1vcyiniBLSOaNAv3siIC9L9LV3aRq_nbn81w6wFB7OvNqhOdGvo-t7Q&sig=Cg0ArKJSzNuc_g1R_f21EAE&fbs_aeid=&urlfix=1&adurl=https://t.events.caixabank.com/r/?id=h665ab089,6dc7f7ae,f89fd96&p1=d70r46aqireop.cloudfront.net%23QZ~MamRpYXpAZXZlcnNoZWRzLXN1dGhlcmxhbmQuZXM=	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	8y4qT1eVpi.exe	Get hash	malicious	Amadey, Stealc	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.html	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femos	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	https://ojbkjs.vip/yb.js	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27 173.222.162.55

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\4179d7b4-4d08-4c57-9590-19ecc0dcbfd4 (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	5091
Entropy (8bit):	7.923768885566106
Encrypted:	false
SSDEEP:	96:m3RjNsJybY12fFfnDc25KwN9ar3n+kcEE1S52xckap5XBchbgH:cKJybYYxDcxwgJvE13KppZ++H
MD5:	536ED0FB0DD074DE85F5FC0B9A38266F
SHA1:	9CD106C553A54BE2D6BC5B4593732E2FE5CAE884
SHA-256:	E06A178A7BF1F59A27638D2066FB1E58DD83177696452A570741FDEB8F680F71
SHA-512:	D93A463CE242F713168FD90EFFA0F5F7C538A8B1001CF3129A72F60E75F72CF2221FFFAD3B21A65910CC7A041F3F4D620C061090EC0764C632E792BCBA38D31D
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............u....].Q..=..c...{i..'!\.D....H=..1N.I...F.!.,........j\....8..C......V_]-.G.Q.SA..f....E.4t...~...u..F.vY.9..j..}Ib......W.v!b.C.+...d..O............Q......x}VA.$.8......<..t.m.7.V'.%I..r.A....[.L...m....G@$.%.o.t.^...._.i.+.3.\|(.... .LHz$l..Q..su.t..}.W..gC.j.q.u..7..?.)].f.3...}....&......==r.....4.....RY.pt5...8i$...<...I.....;.U_....Z.:J...-.<B. .z.\|.7!....Ito..;....t...>.5...ek..I3@~.%M

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:54:09 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9871567057950186
Encrypted:	false
SSDEEP:	48:8iqbdETM/zHaidAKZdA1uehwiZUklqehly+3:8ixwHuy
MD5:	BADF1DFF5F49CD45F8BBCD0F2BA3A448
SHA1:	2C8B72A309BB0568A561F05EFA2DBB1BF28DC835
SHA-256:	3895E187773DF0B3F521787C8549CBD1DCA2A0F42393D8D8C62E80E00A995BE8
SHA-512:	19971C9C1BAD9F78C55F16FEDC3AB11E4740D26249606593F4551465B065F9BDBD2EC398108EDEE794251E2550A5AF58039C4C7AC55F2DE4009D34B4D248E365
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....%s.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V;Y.V....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:54:09 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.002967510976781
Encrypted:	false
SSDEEP:	48:8PqbdETM/zHaidAKZdA1Heh/iZUkAQkqehey+2:8Pxwh9Qzy
MD5:	0E817D1DC97D9CBDFB538CD96B74667F
SHA1:	D3414C7BE6596DE0F6155B85CF1D3C3104228BBD
SHA-256:	2BACA214E55CD04EE24402B52E36E687C6AF0B204144C99C30F711ED97BC489E
SHA-512:	21556FAF203C3704D1F8860F28E517EB6C6200E22E929C45489DFD54D884CA1FA763DD39E5975B406BA0FFE1507697CF16383094BA55E22146FF511F565C721E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....f.d.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V;Y.V....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.011911490451188
Encrypted:	false
SSDEEP:	48:8FqbdETMbHaidAKZdA149eh7sFiZUkmgqeh7sEy+BX:8Fxw9nay
MD5:	26D47D850D0A974AEF098808A42A520B
SHA1:	280ECAA95687735A0F674C7604294517AA645D82
SHA-256:	BDA8B3E2E2CEEF3A9481E32E96210F90F662D85DF33ACC022513DDC8F063B74C
SHA-512:	5821B785D679FBAFB4A9D3B7D636CC04651C903AA52A81D32A43FF07A127B526225EDC0F47BC6DA0930CB510C8DB512B949E9FF6435954BB8D8239FD81E55FCC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:54:09 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.001570198832555
Encrypted:	false
SSDEEP:	48:8gqbdETM/zHaidAKZdA14ehDiZUkwqehyy+R:8gxwScy
MD5:	93FD4F0E2F54F73F750B3E62F1B7E98F
SHA1:	05B702A6107B5A380FB3769525F8E54C01752AD7
SHA-256:	5B9D40A233EFC4CCFC4F2418945234824DF4DA22076EA173EB082D88E8098C9B
SHA-512:	449CB55E3C00D9066350BF3946B2F3634F37D17DB48F0614ED0093DD881B1177C376F5C9886D1C4E64CB74697B660C6541EBB6A1D009C6AD4A0DD37CB02E2D10
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....S.].........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V;Y.V....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:54:09 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9899262535322757
Encrypted:	false
SSDEEP:	48:8wqbdETM/zHaidAKZdA1mehBiZUk1W1qehAy+C:8wxwS9gy
MD5:	2A8C251AEC919718321304BA006CA250
SHA1:	E4F3A8896EA2005B08F342B70605C64C9AE94B15
SHA-256:	2326A45E9BAC23060C85EA055E5FFCFA17B77182C2913648C2AE264E3D1C3B13
SHA-512:	DFF3ED91367EEAF67923817F7E4BF073C3019C2F8474980D19F64F33BB82067AEB9A14AB81A3F952CE7F19ECB928E31A9E31C91E27C067F290FCD5889C766958
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....k.k.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V;Y.V....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:54:09 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.00056563233031
Encrypted:	false
SSDEEP:	48:8XqbdETM/zHaidAKZdA1duT1ehOuTbbiZUk5OjqehOuTbay+yT+:8XxwZTyTbxWOvTbay7T
MD5:	7D1034F679FF10DC45B9854C2598D178
SHA1:	9D089331E000C0C7A976186318CF7D9B1F2D09A4
SHA-256:	D6B1B6CE34BC31F6A4F7A9F2EA93112568747017080991B387FDB8519E3F2FDE
SHA-512:	A6A7E6679FD0B04465A0F69F2324DEDC3FDC1D35F6CF2C9F1199FC174B5AEB54B9C0A304CA2EAB4BFD30D671720381A4FDDDC7F29D3C6DD9C6C867B01DA38181
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....&T.........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I;Y.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.V....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V;Y.V....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V;Y.V...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V;Y.V....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............,.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\5fb4c68c-2b24-46c3-9d7f-59c5c6a4127b.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	5091
Entropy (8bit):	7.923768885566106
Encrypted:	false
SSDEEP:	96:m3RjNsJybY12fFfnDc25KwN9ar3n+kcEE1S52xckap5XBchbgH:cKJybYYxDcxwgJvE13KppZ++H
MD5:	536ED0FB0DD074DE85F5FC0B9A38266F
SHA1:	9CD106C553A54BE2D6BC5B4593732E2FE5CAE884
SHA-256:	E06A178A7BF1F59A27638D2066FB1E58DD83177696452A570741FDEB8F680F71
SHA-512:	D93A463CE242F713168FD90EFFA0F5F7C538A8B1001CF3129A72F60E75F72CF2221FFFAD3B21A65910CC7A041F3F4D620C061090EC0764C632E792BCBA38D31D
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............u....].Q..=..c...{i..'!\.D....H=..1N.I...F.!.,........j\....8..C......V_]-.G.Q.SA..f....E.4t...~...u..F.vY.9..j..}Ib......W.v!b.C.+...d..O............Q......x}VA.$.8......<..t.m.7.V'.%I..r.A....[.L...m....G@$.%.o.t.^...._.i.+.3.\|(.... .LHz$l..Q..su.t..}.W..gC.j.q.u..7..?.)].f.3...}....&......==r.....4.....RY.pt5...8i$...<...I.....;.U_....Z.:J...-.<B. .z.\|.7!....Ito..;....t...>.5...ek..I3@~.%M

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1416
Entropy (8bit):	5.299417038163051
Encrypted:	false
SSDEEP:	24:kMYD7JqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7JopFN+ASCKKGbF99GbSS3RY7rw
MD5:	6AEAE74D22F7C2D9658B057EA5D85069
SHA1:	2F4644F53FB4E8EC4AFD49A31C55853F062D284C
SHA-256:	EBFE7B5A1020808B9A02667ECC0E7E460643CBDE84F0B9C410C70A91C9726667
SHA-512:	C43F067D649CBC3091B9878715F718E47CD753C860EBEB20CD387C325640C2EF3CA9556D0689852CEF667C8E83BF42568BEF33C8A92BC07FDB91CB7EA608162D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e){if(MZa)if(e instanceof _.qf){if(!e.status\|\|

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3190)
Category:	downloaded
Size (bytes):	339369
Entropy (8bit):	5.533022690974177
Encrypted:	false
SSDEEP:	3072:9hFx8tVGv15Iyr4t4s2GvgHVTYDh+rvVvurtVEWzcLmLyszIm8j2kzU:9NlvE+zTYDh+rvh8cLMijFg
MD5:	FF16B667178352EFDF164CE3F16A8F55
SHA1:	E9B1BC661337502E31306B5E7AE37D93C0551455
SHA-256:	625EC33FBA1BFF3734490AC15C8430CDB5850E9159B80F607E093BB73B7F243B
SHA-512:	F197393CB05F94BCEDA0FE3176842E09CFCFC2348DE22C9815DD8369D5D333038E8F93F426994482E2E9731A859FA9B6B6062BAD4AA3BFD3C0730281C4CCADB9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".EE6QGf{border-bottom-style:solid;border-bottom-width:1px;padding:16px;width:100%;z-index:6;background:#fff;background:var(--gm3-sys-color-surface-container-lowest,#fff);border-color:#c4c7c5;border-color:var(--gm3-sys-color-outline-variant,#c4c7c5);display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}@media (min-width:600px){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}@media (min-width:600px) and (orientation:landscape){.EE6QGf{display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}}@media (min-width:960px) and (orientation:landscape){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}.PZB4Lc{display:flex;width:100%}.YLIzab{font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1rem;font-weight:500;letter-spacing:0rem;line-height:1

Chrome Cache Entry: 104

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 105

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 106

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 108

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2544)
Category:	downloaded
Size (bytes):	358292
Entropy (8bit):	5.622523467644739
Encrypted:	false
SSDEEP:	3072:sy/lJpABa9hEP2iyjV5ygVLdh3YB4qyhLD6Crjyp3Sm5pnrjtuo0MpLEKusgI8sw:TyTNoygVWyhoDAMpL5gI8seqfhP3p+L
MD5:	14049A4F8FB34A2FA52A0358C72B2F2E
SHA1:	680985BDBE3FA830B31A9F02D40AFE925C12E70E
SHA-256:	56C112F31C6F61735FE5EBD188AD0928406F04454AFEC139297328D3EE6540B4
SHA-512:	5637742A7E2936540D957BA8A09991478EF0D4C28A3DA92D5260C7D5DA7BFD20811AFA26C0B53DD88D4A536B3C40A21ACA3310EFC17508A1C806B76ACB320631
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,EFQ78c,EIOG1e,GwYlN,I6YDgd,IZT63,K0PMbc,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,y5vRwf,zbML3c,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 109

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 110

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 111

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789949489744101
Encrypted:	false
SSDEEP:	3072:x0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:xlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	036BC6CEC1912EAA63C716C2A7494AFC
SHA1:	C32891F55B0D7A86DCE1BDBB7B84DB21C2A09F4F
SHA-256:	1A6181C3DFAEE5919CE57152DCFFCDC4B151C5FB2969CFD62168C1711FF202CF
SHA-512:	0AAA2285D109114921B5FD8A15F9A3D1F218AF8C61054B3925965E6753F8A49B45798326EA986C4A6B6180B6C36292A4652E2BA730C7505684DAAA4B5C314675
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGsNipZrCRRMFQh1-tVmHSsIDzQTA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 112

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 113

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1652
Entropy (8bit):	5.296387798840289
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlDQENrpB3stYCIgMxILNH/wf7DVTBpdQrw:o5fpB8iDwYlGw
MD5:	F18EA2D35027D6173E2864B5863CB6E3
SHA1:	1979174E786593DAFD2B23084F26332AB929216C
SHA-256:	547E151C2D842255451D651B749239B28DED9F803B524A77BD1E14D878BDAF58
SHA-512:	A031A439A99BCA557951A75234766033145E7D05E8453A4FE9BC0EA091E49BA59AF1479850D1E896B2D114575A80CCE111A787E7EEA9A7F288C78AD325436C18
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=xUdipf,OTA3Ae,A1yn5d,fKUV3e,aurFic,Ug7Xab,NwH0H,OmgaI,gychg,w9hDv,EEDORb,Mlhmy,ZfAoz,kWgXee,ovKuLd,yDVVkb,ebZ3mb,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.036733653060842
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'167'360 bytes
MD5:	55ad212ef14e1d3a99251ba84d4c3497
SHA1:	5f7127f6f859cae4b9d19f700196cb207a6ddd87
SHA256:	c4ef6abb3459faf2b1c99b9ebdb68e27bda102f71df30c1e773bf737cc2d9f33
SHA512:	8199e1b9e83ea7f028c6f851b886d3cac829c533489c5e3292bc74b94df2900c7e4168dadec1f4ac0e12bff8a08679433586f79b719a240bb94cb816df5b5c76
SSDEEP:	24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8arB2+b+HdiJUK:yTvC/MTQYxsWR7arB2+b+HoJU
TLSH:	2F45CF027391C062FF9B92734F5AF6115BBC69260123E61F13981DBABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F68E2B [Fri Sep 27 10:51:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE18C6DA623h
jmp 00007FE18C6D9F2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE18C6DA10Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE18C6DA0DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE18C6DCCCDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE18C6DCD18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE18C6DCD01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x46464	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x46464	0x46600	68ff0046bdc2a2c57ac55761e7ca63e2	False	0.9059655306394316	data	7.844923732352645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3d72c	data			1.0003416874592757
RT_GROUP_ICON	0x119ee4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x119f5c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x119f70	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x119f84	0x14	data	English	Great Britain	1.25
RT_VERSION	0x119f98	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11a074	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 12:54:00.917817116 CEST	49674	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:00.918308020 CEST	49675	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:01.322110891 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:01.636499882 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:02.245902061 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:02.386641026 CEST	49671	443	192.168.2.10	204.79.197.203
Sep 27, 2024 12:54:03.449126005 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:05.855241060 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:07.357471943 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:07.357481003 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:07.357527018 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:07.359200954 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:07.359217882 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.004549980 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.005548000 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.005563974 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.005986929 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.006133080 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.006802082 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.006869078 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.009032011 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.009109020 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.009318113 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.009331942 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.057833910 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.286497116 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.286559105 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.286567926 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.286588907 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.286628008 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.287507057 CEST	49703	443	192.168.2.10	142.250.185.238
Sep 27, 2024 12:54:08.287520885 CEST	443	49703	142.250.185.238	192.168.2.10
Sep 27, 2024 12:54:08.300559044 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.300585985 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.300796032 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.301207066 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.301218987 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.938621044 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.938895941 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.938905001 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.939316988 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.939402103 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.940046072 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.940088987 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.941103935 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.941163063 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.941302061 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:08.941309929 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:08.995275974 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:10.238708973 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:10.238729954 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:10.238800049 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:10.238809109 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:10.238898039 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:10.241503954 CEST	49707	443	192.168.2.10	142.250.184.206
Sep 27, 2024 12:54:10.241513968 CEST	443	49707	142.250.184.206	192.168.2.10
Sep 27, 2024 12:54:10.526525021 CEST	49674	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:10.526529074 CEST	49675	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:10.667162895 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:10.722995996 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:10.723022938 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:10.723109007 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:10.723315954 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:10.723331928 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.359724045 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.360038996 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:11.360049009 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.361562014 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.361628056 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:11.362796068 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:11.362876892 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.417212963 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:11.417228937 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:11.464071035 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:11.995357037 CEST	49671	443	192.168.2.10	204.79.197.203
Sep 27, 2024 12:54:12.120594978 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.120642900 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:12.120729923 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.122371912 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.122390032 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:12.775772095 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:12.775825977 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.781001091 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.781013966 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:12.781265974 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:12.823395014 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.827995062 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:12.871396065 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.086709023 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.086771011 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.086817026 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.086894989 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.086916924 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.086937904 CEST	49713	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.086945057 CEST	443	49713	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.124802113 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.124838114 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.125046968 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.125241041 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.125257015 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.826025963 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.826175928 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.829979897 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.829992056 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.830308914 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:13.831562042 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:13.879399061 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:14.105639935 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:14.105712891 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:14.106507063 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:14.350146055 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:14.350147009 CEST	49717	443	192.168.2.10	184.28.90.27
Sep 27, 2024 12:54:14.350168943 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:14.350178003 CEST	443	49717	184.28.90.27	192.168.2.10
Sep 27, 2024 12:54:18.170547009 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.170594931 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.170675039 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.170869112 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.170885086 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.888365030 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.888672113 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.888684988 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.889096975 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.889179945 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.889842033 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.889926910 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.891035080 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.891110897 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.891280890 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:18.891290903 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:18.932832956 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.211148024 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.212517977 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.212575912 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.212594986 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.212707043 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.213077068 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.213237047 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.218904018 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.219074965 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.219229937 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.219274044 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.225801945 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.226160049 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.238462925 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.238491058 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.238540888 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.238554001 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.238629103 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.253422022 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.253515959 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.337632895 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.337899923 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.338531971 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.338632107 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.339310884 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.339375973 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.342248917 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.342303038 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.344763041 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.344854116 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.345030069 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.345042944 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.345120907 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.346689939 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.346792936 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.346801043 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.348232985 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.349844933 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.349853992 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.354048014 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.354094028 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.354101896 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.359520912 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.359628916 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.371166945 CEST	49735	443	192.168.2.10	216.58.206.46
Sep 27, 2024 12:54:19.371181011 CEST	443	49735	216.58.206.46	192.168.2.10
Sep 27, 2024 12:54:19.617516994 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.617568970 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:19.617670059 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.623801947 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.623847008 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:19.623909950 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.624656916 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.624674082 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:19.625056028 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:19.625062943 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.277235031 CEST	49677	443	192.168.2.10	20.42.65.85
Sep 27, 2024 12:54:20.511369944 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.512546062 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.532943010 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.532973051 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.533068895 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.533077002 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.533432961 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.533487082 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.533607006 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.533668041 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.534183979 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.534224033 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.534332037 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.534369946 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.535571098 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.535655022 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.535669088 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.535763025 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.535913944 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.535926104 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.535999060 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.536005974 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.577195883 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.577370882 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.836904049 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.836983919 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.837071896 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.837706089 CEST	49737	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.837723970 CEST	443	49737	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.839133024 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.839169025 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.839309931 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.839761972 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.839835882 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.840223074 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.840233088 CEST	443	49738	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.840253115 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.840282917 CEST	49738	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.840426922 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.840442896 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.841098070 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.841120958 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:20.841176033 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.841533899 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:20.841543913 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.049850941 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:21.049892902 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:21.049993992 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:21.051172018 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:21.051187038 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:21.260512114 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:21.260582924 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:21.260620117 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:21.479909897 CEST	49710	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:21.479937077 CEST	443	49710	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:21.586874962 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.612476110 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.651637077 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.667274952 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.800447941 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.800472021 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.800689936 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.800698996 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801062107 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801078081 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801126003 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.801253080 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801264048 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801317930 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.801826000 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.801870108 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.802021027 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.802073956 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.807512999 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.807605982 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.810832024 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.810930014 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.810956955 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.810966015 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.810985088 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.811086893 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.811088085 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.811095953 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.851412058 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.851445913 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:21.854736090 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.854751110 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:21.948996067 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:21.949063063 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:21.953438044 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:21.953463078 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:21.953705072 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:22.007623911 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:22.205135107 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.205252886 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.205307961 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:22.206417084 CEST	49744	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:22.206439018 CEST	443	49744	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.219172001 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.221010923 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.221132994 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:22.224591017 CEST	49743	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:22.224605083 CEST	443	49743	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:22.961045027 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:22.998966932 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.039407015 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.045948982 CEST	49753	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.045983076 CEST	443	49753	173.222.162.55	192.168.2.10
Sep 27, 2024 12:54:23.046194077 CEST	49753	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.046386003 CEST	49753	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.046396017 CEST	443	49753	173.222.162.55	192.168.2.10
Sep 27, 2024 12:54:23.123151064 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.123176098 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.123332977 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.124237061 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.124249935 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.275991917 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.291671038 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291701078 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291709900 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291738987 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291750908 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.291753054 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291765928 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291793108 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.291807890 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.291807890 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.291841030 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.295342922 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.295402050 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.295411110 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.298244953 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:23.298291922 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:23.869137049 CEST	443	49753	173.222.162.55	192.168.2.10
Sep 27, 2024 12:54:23.869211912 CEST	49753	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.885312080 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:23.943530083 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.945939064 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.945950985 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.946367025 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.947884083 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.947884083 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:23.947899103 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.947952032 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:23.994822025 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:24.064479113 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:24.064512968 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:24.064532995 CEST	49745	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:54:24.064541101 CEST	443	49745	4.245.163.56	192.168.2.10
Sep 27, 2024 12:54:24.242711067 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.242757082 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.243412971 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:24.243433952 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.247704983 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.247765064 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.247843981 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:24.247888088 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:24.247888088 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:24.248380899 CEST	49754	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:54:24.248399973 CEST	443	49754	142.250.184.196	192.168.2.10
Sep 27, 2024 12:54:25.090799093 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:26.871226072 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:26.871260881 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:26.871422052 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:26.872054100 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:26.872070074 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:27.495018005 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:27.786485910 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:27.786901951 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:27.786911964 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:27.787293911 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:27.788219929 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:27.788290977 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:27.788346052 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:27.788346052 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:27.788377047 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:28.192625999 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:28.192768097 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:28.192981958 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:28.193916082 CEST	49758	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:28.193932056 CEST	443	49758	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:32.307399035 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:41.917123079 CEST	49672	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:43.030376911 CEST	443	49753	173.222.162.55	192.168.2.10
Sep 27, 2024 12:54:43.030528069 CEST	49753	443	192.168.2.10	173.222.162.55
Sep 27, 2024 12:54:50.168860912 CEST	49759	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.169004917 CEST	443	49759	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:50.169112921 CEST	49759	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.171758890 CEST	49759	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.171777964 CEST	443	49759	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:50.282093048 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.282188892 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:50.282257080 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.282527924 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:50.282557011 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:51.872598886 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:51.872639894 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:51.872724056 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:51.873280048 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:51.873296022 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.096946001 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.097572088 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.097604990 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.098215103 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.098999023 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.099114895 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.099163055 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.099246025 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.099255085 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.725325108 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.725718975 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.725737095 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.726049900 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.726176977 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.726766109 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.726833105 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.727011919 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.727124929 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.727200031 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.727209091 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.727266073 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:54:54.767399073 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:54:54.778152943 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:55:00.332930088 CEST	49762	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:55:00.332959890 CEST	443	49762	4.245.163.56	192.168.2.10
Sep 27, 2024 12:55:00.333049059 CEST	49762	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:55:00.333412886 CEST	49762	443	192.168.2.10	4.245.163.56
Sep 27, 2024 12:55:00.333420992 CEST	443	49762	4.245.163.56	192.168.2.10
Sep 27, 2024 12:55:10.778420925 CEST	49763	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:55:10.778491974 CEST	443	49763	142.250.184.196	192.168.2.10
Sep 27, 2024 12:55:10.778608084 CEST	49763	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:55:10.778918982 CEST	49763	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:55:10.778943062 CEST	443	49763	142.250.184.196	192.168.2.10
Sep 27, 2024 12:55:20.182626009 CEST	49759	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:55:20.227412939 CEST	443	49759	142.250.181.238	192.168.2.10
Sep 27, 2024 12:55:39.105931044 CEST	49760	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:55:39.105963945 CEST	443	49760	142.250.181.238	192.168.2.10
Sep 27, 2024 12:55:39.780004025 CEST	49761	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:55:39.780019045 CEST	443	49761	142.250.181.238	192.168.2.10
Sep 27, 2024 12:55:40.780157089 CEST	49763	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:55:40.827404022 CEST	443	49763	142.250.184.196	192.168.2.10
Sep 27, 2024 12:55:51.730477095 CEST	49769	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:51.730549097 CEST	443	49769	172.217.23.110	192.168.2.10
Sep 27, 2024 12:55:51.730623960 CEST	49769	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:51.730926037 CEST	49769	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:51.730945110 CEST	443	49769	172.217.23.110	192.168.2.10
Sep 27, 2024 12:55:54.063113928 CEST	49770	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:54.063225031 CEST	443	49770	172.217.23.110	192.168.2.10
Sep 27, 2024 12:55:54.063339949 CEST	49770	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:54.063632011 CEST	49770	443	192.168.2.10	172.217.23.110
Sep 27, 2024 12:55:54.063671112 CEST	443	49770	172.217.23.110	192.168.2.10
Sep 27, 2024 12:56:05.231476068 CEST	49759	443	192.168.2.10	142.250.181.238
Sep 27, 2024 12:56:05.231513023 CEST	443	49759	142.250.181.238	192.168.2.10
Sep 27, 2024 12:56:10.841515064 CEST	49771	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:56:10.841558933 CEST	443	49771	142.250.184.196	192.168.2.10
Sep 27, 2024 12:56:10.841630936 CEST	49771	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:56:10.842031956 CEST	49771	443	192.168.2.10	142.250.184.196
Sep 27, 2024 12:56:10.842041969 CEST	443	49771	142.250.184.196	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 12:54:07.286041975 CEST	53	59035	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:07.301565886 CEST	60735	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:07.302006006 CEST	63319	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:07.308301926 CEST	53	60735	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:07.309423923 CEST	53	63319	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:07.310708046 CEST	53	53974	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:08.291140079 CEST	64213	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:08.291277885 CEST	63144	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:08.298019886 CEST	53	64213	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:08.298094034 CEST	53	63144	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:08.366744041 CEST	53	50163	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:10.715136051 CEST	50838	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:10.715321064 CEST	61353	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:10.721973896 CEST	53	50838	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:10.722008944 CEST	53	61353	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:12.191905975 CEST	53	61624	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:15.029711008 CEST	53	50569	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:18.077672005 CEST	49716	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:18.077821970 CEST	63734	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:18.169702053 CEST	53	49716	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:18.169745922 CEST	53	63734	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:19.515916109 CEST	49426	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:19.516082048 CEST	63227	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:54:19.530457973 CEST	53	49426	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:19.530498981 CEST	53	63227	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:25.525888920 CEST	53	50140	1.1.1.1	192.168.2.10
Sep 27, 2024 12:54:44.365890980 CEST	53	54228	1.1.1.1	192.168.2.10
Sep 27, 2024 12:55:00.410612106 CEST	138	138	192.168.2.10	192.168.2.255
Sep 27, 2024 12:55:20.278768063 CEST	54546	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:20.278944016 CEST	54503	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:21.292417049 CEST	59076	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:21.292663097 CEST	58675	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:23.324548960 CEST	54251	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:24.339737892 CEST	54251	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:25.339621067 CEST	54251	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:27.341501951 CEST	54251	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:31.356151104 CEST	54251	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:43.349783897 CEST	53	49690	1.1.1.1	192.168.2.10
Sep 27, 2024 12:55:51.641570091 CEST	63337	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:51.641993999 CEST	49481	53	192.168.2.10	1.1.1.1
Sep 27, 2024 12:55:51.704663038 CEST	53	63337	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 12:54:07.301565886 CEST	192.168.2.10	1.1.1.1	0xe2e8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:07.302006006 CEST	192.168.2.10	1.1.1.1	0x6395	Standard query (0)	youtube.com	65	IN (0x0001)	false
Sep 27, 2024 12:54:08.291140079 CEST	192.168.2.10	1.1.1.1	0xc617	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.291277885 CEST	192.168.2.10	1.1.1.1	0xfd7a	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Sep 27, 2024 12:54:10.715136051 CEST	192.168.2.10	1.1.1.1	0x8045	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:10.715321064 CEST	192.168.2.10	1.1.1.1	0x4a75	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 27, 2024 12:54:18.077672005 CEST	192.168.2.10	1.1.1.1	0x91b0	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:18.077821970 CEST	192.168.2.10	1.1.1.1	0xc831	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Sep 27, 2024 12:54:19.515916109 CEST	192.168.2.10	1.1.1.1	0xf6ed	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:19.516082048 CEST	192.168.2.10	1.1.1.1	0x3bd0	Standard query (0)	play.google.com	65	IN (0x0001)	false
Sep 27, 2024 12:55:20.278768063 CEST	192.168.2.10	1.1.1.1	0x58ac	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:20.278944016 CEST	192.168.2.10	1.1.1.1	0x99ca	Standard query (0)	play.google.com	65	IN (0x0001)	false
Sep 27, 2024 12:55:21.292417049 CEST	192.168.2.10	1.1.1.1	0xf3bf	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:21.292663097 CEST	192.168.2.10	1.1.1.1	0xa63	Standard query (0)	play.google.com	65	IN (0x0001)	false
Sep 27, 2024 12:55:23.324548960 CEST	192.168.2.10	1.1.1.1	0x6eec	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:24.339737892 CEST	192.168.2.10	1.1.1.1	0x6eec	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:25.339621067 CEST	192.168.2.10	1.1.1.1	0x6eec	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:27.341501951 CEST	192.168.2.10	1.1.1.1	0x6eec	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:31.356151104 CEST	192.168.2.10	1.1.1.1	0x6eec	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:51.641570091 CEST	192.168.2.10	1.1.1.1	0x67ef	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:51.641993999 CEST	192.168.2.10	1.1.1.1	0xdd7c	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 12:54:07.308301926 CEST	1.1.1.1	192.168.2.10	0xe2e8	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:07.309423923 CEST	1.1.1.1	192.168.2.10	0x6395	No error (0)	youtube.com			65	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298019886 CEST	1.1.1.1	192.168.2.10	0xc617	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298094034 CEST	1.1.1.1	192.168.2.10	0xfd7a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 12:54:08.298094034 CEST	1.1.1.1	192.168.2.10	0xfd7a	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Sep 27, 2024 12:54:10.721973896 CEST	1.1.1.1	192.168.2.10	0x8045	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:10.722008944 CEST	1.1.1.1	192.168.2.10	0x4a75	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 27, 2024 12:54:18.169702053 CEST	1.1.1.1	192.168.2.10	0x91b0	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 12:54:18.169702053 CEST	1.1.1.1	192.168.2.10	0x91b0	No error (0)	www3.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:54:18.169745922 CEST	1.1.1.1	192.168.2.10	0xc831	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 12:54:19.530457973 CEST	1.1.1.1	192.168.2.10	0xf6ed	No error (0)	play.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 12:55:51.704663038 CEST	1.1.1.1	192.168.2.10	0x67ef	No error (0)	play.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49703	142.250.185.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:08 UTC	847	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:08 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Fri, 27 Sep 2024 10:54:08 GMT Date: Fri, 27 Sep 2024 10:54:08 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49707	142.250.184.206	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:08 UTC	865	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:10 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 27 Sep 2024 10:54:09 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Fri, 27-Sep-2024 11:24:09 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=BdcN0ZnEsCg; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=yD-ZOWDuR1M; Domain=.youtube.com; Expires=Wed, 26-Mar-2025 10:54:09 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgOQ%3D%3D; Domain=.youtube.com; Expires=Wed, 26-Mar-2025 10:54:09 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49713	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:12 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-27 10:54:13 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=21056 Date: Fri, 27 Sep 2024 10:54:12 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:13 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-27 10:54:14 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25937 Date: Fri, 27 Sep 2024 10:54:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-27 10:54:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49735	216.58.206.46	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:18 UTC	1232	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1648343792&timestamp=1727434457341 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:19 UTC	1978	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-peFITek6z9aOtQpetV7VMg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 27 Sep 2024 10:54:19 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjctDikmJw0JBikPj6kkkDiJ3SZ7AGAXHSv_OsRUC8JOIi66HEi6yXuy-xXgdi1Z5LrKZAXCRxhbUJiIW4OW7PvbWdTeDH4f_aSnpJ-YXxmSmpeSWZJZUp-bmJmXnJ-fnZmanFxalFZalF8UYGRiYGlkZGegYW8QUGAH_hMWc" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 70 65 46 49 54 65 6b 36 7a 39 61 4f 74 51 70 65 74 56 37 56 4d 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="peFITek6z9aOtQpetV7VMg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 28 2e 2a 3f 29 5c 5c 29 29 Data Ascii: (\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s(?:\$(.?)\$)
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 55 69 6e 74 38 41 72 72 61 Data Ascii: "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a instanceof Uint8Arra
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d 31 5d 3b 28 66 3d 41 28 64 29 29 3f 62 2d 2d 3a 64 3d 76 6f 69 64 20 30 3b 63 3d Data Ascii: b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-1];(f=A(d))?b--:d=void 0;c=
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 21 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 46 28 64 2e 70 Data Ascii: a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&typeof d.prototype[a]!="function"&&F(d.p
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 6a 60 22 2b 6b 29 3b 6b 5b 66 5d 5b 74 68 69 73 2e 67 5d 3d 6c 3b 72 65 74 75 72 6e 20 74 68 69 Data Ascii: );var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))throw Error("j`"+k);k[f][this.g]=l;return thi
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 3f 6c 3d 62 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6d 3d 67 5b 30 5d Data Ascii: ar l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)?l=b.get(k):(l=""+ ++h,b.set(k,l)):l="p_"+k;var m=g[0]
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2c 6a 62 3d 30 2c 6b 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 61 2e 63 61 6c 6c 2e 61 70 70 6c 79 28 61 2e 62 69 6e 64 2c 61 72 67 75 6d Data Ascii: b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E9>>>0),jb=0,kb=function(a,b,c){return a.call.apply(a.bind,argum
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 62 28 22 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 22 29 3b 61 3d 3d 6e 75 6c 6c 26 26 28 61 3d 27 55 6e 6b 6e 6f 77 6e 20 45 72 72 6f 72 20 6f 66 20 74 79 70 65 20 22 6e 75 6c 6c 2f 75 6e 64 65 66 Data Ascii: function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=hb("window.location.href");a==null&&(a='Unknown Error of type "null/undef
2024-09-27 10:54:19 UTC	1978	IN	Data Raw: 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e 20 74 72 79 69 6e 67 20 74 6f 20 67 65 74 20 63 61 6c 6c 65 72 5d 5c 6e 22 29 7d 7d 65 6c 73 65 20 61 3f 63 2e 70 75 73 68 28 22 5b 2e 2e 2e 6c 6f 6e 67 20 73 74 61 63 6b 2e 2e 2e 5d 22 29 3a 63 2e 70 75 73 68 28 22 5b 65 6e 64 5d 22 29 3b 72 Data Ascii: ":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception trying to get caller]\n")}}else a?c.push("[...long stack...]"):c.push("[end]");r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49738	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:20 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:20 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 10:54:20 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49737	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:20 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:20 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 10:54:20 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49744	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:21 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:21 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 34 39 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 33 34 34 35 38 38 36 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.149"],[1,0,0,0,0]]],1828,[["1727434458869",null,null,null
2024-09-27 10:54:22 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=yW8Qvs6VhOh1-CBMcYZlhHplQXXKxfI8GpDJfx318sawDI0Uf1wAKwCyX0tfB9yGs3uRWUgmLVn8nDulWp0OMeulQnh-XS3uNs_xHhokWfAV8_Irba6PD-BOU-abjwiIbqW-RyMphdj9VnM_CoNN4pp1LjnYIHSKph3NAcL5KzGPGo2i9w; expires=Sat, 29-Mar-2025 10:54:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 10:54:22 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 10:54:22 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 10:54:22 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 10:54:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49743	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:21 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 10:54:21 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 34 39 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 33 34 34 35 38 37 34 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.149"],[1,0,0,0,0]]],1828,[["1727434458742",null,null,null
2024-09-27 10:54:22 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=dDxkoKA2z_kuMQuaPNPp8fMTqTBRVl1aMs0bApuSQQkC3kf6gyF4x0ZlMD9h89Sluq_wGknppAOnCpMWBzL3CxCzijvB84CU9tjwORyW44J08zplIGGVneO4jl6Oar4x2-16R-ceqf12gXIZcQhrJNHCU6yDgTkPxb-Z4eeCgABPPxvSGGQ; expires=Sat, 29-Mar-2025 10:54:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 10:54:22 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 10:54:22 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 10:54:22 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 10:54:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49745	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:22 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9TXGzWLSX1eOMza&MD=anumbD6B HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-27 10:54:23 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 448e734c-8082-40cf-989f-029e1f400033 MS-RequestId: 9483d4e5-1ad3-4304-a026-72e51b6cfdb1 MS-CV: pYWGJ7DC3kWGfuab.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 27 Sep 2024 10:54:22 GMT Connection: close Content-Length: 24490
2024-09-27 10:54:23 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-27 10:54:23 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49754	142.250.184.196	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:23 UTC	1210	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=dDxkoKA2z_kuMQuaPNPp8fMTqTBRVl1aMs0bApuSQQkC3kf6gyF4x0ZlMD9h89Sluq_wGknppAOnCpMWBzL3CxCzijvB84CU9tjwORyW44J08zplIGGVneO4jl6Oar4x2-16R-ceqf12gXIZcQhrJNHCU6yDgTkPxb-Z4eeCgABPPxvSGGQ
2024-09-27 10:54:24 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Fri, 27 Sep 2024 09:52:38 GMT Expires: Sat, 05 Oct 2024 09:52:38 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 3706 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-27 10:54:24 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-27 10:54:24 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-27 10:54:24 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-27 10:54:24 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-27 10:54:24 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49758	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:27 UTC	1295	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=dDxkoKA2z_kuMQuaPNPp8fMTqTBRVl1aMs0bApuSQQkC3kf6gyF4x0ZlMD9h89Sluq_wGknppAOnCpMWBzL3CxCzijvB84CU9tjwORyW44J08zplIGGVneO4jl6Oar4x2-16R-ceqf12gXIZcQhrJNHCU6yDgTkPxb-Z4eeCgABPPxvSGGQ
2024-09-27 10:54:27 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 34 39 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 34 33 34 34 35 36 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.149"],[4,0,0,0,0]]],558,[["1727434456000",null,null,null,
2024-09-27 10:54:28 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=MR00knav-4WBmlgv8_k1hYLBlMYqHWhordyCdZySrtycIY60933pirWHnunEbxCI_1Z3IgmHNp0J_n1iDU8_1sCuJM3Miw17AWLw9LajKro10JqqQAjkGSrxBb45GuTNWgSVu2PMX53tAhZikH-Lsz1WusWkdFpBn7En2bF8_JaV5pb4We9nHyU46vg; expires=Sat, 29-Mar-2025 10:54:28 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 10:54:28 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 10:54:28 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 10:54:28 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 10:54:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49760	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:54 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=MR00knav-4WBmlgv8_k1hYLBlMYqHWhordyCdZySrtycIY60933pirWHnunEbxCI_1Z3IgmHNp0J_n1iDU8_1sCuJM3Miw17AWLw9LajKro10JqqQAjkGSrxBb45GuTNWgSVu2PMX53tAhZikH-Lsz1WusWkdFpBn7En2bF8_JaV5pb4We9nHyU46vg
2024-09-27 10:54:54 UTC	1507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 34 39 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 33 34 34 38 39 34 35 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.149"],[1,0,0,0,0]]],1828,[["1727434489456",null,null,null

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49761	142.250.181.238	443	1516	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 10:54:54 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1269 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=MR00knav-4WBmlgv8_k1hYLBlMYqHWhordyCdZySrtycIY60933pirWHnunEbxCI_1Z3IgmHNp0J_n1iDU8_1sCuJM3Miw17AWLw9LajKro10JqqQAjkGSrxBb45GuTNWgSVu2PMX53tAhZikH-Lsz1WusWkdFpBn7En2bF8_JaV5pb4We9nHyU46vg
2024-09-27 10:54:54 UTC	1269	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 34 39 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 33 34 34 38 39 35 37 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.149"],[1,0,0,0,0]]],1828,[["1727434489570",null,null,null

Target ID:	0
Start time:	06:54:04
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xca0000
File size:	1'167'360 bytes
MD5 hash:	55AD212EF14E1D3A99251BA84D4C3497
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:54:04
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:54:05
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:54:18
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:54:18
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1980,i,6137211469705690225,15754436481577264097,262144 /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1538
Total number of Limit Nodes:	52

Executed Functions

Function 00CA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CA430D

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

GetCurrentProcess.KERNEL32(?,00D3CB64,00000000,?,?), ref: 00CA4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CA4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CA4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CA4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00CA4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CA447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CA44A0

Strings

|O, xrefs: 00CE36F8
kernel32.dll, xrefs: 00CA444F
GetNativeSystemInfo, xrefs: 00CA4460

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 567128170a557ce9e7456b261e16ec9ad56ea7ac1bd90cb97b237dc007736731
Instruction ID: 7daf463096d3fe05b5a96b5a660e5c2827013d1bbd0124c06e19a44fdc6e7310
Opcode Fuzzy Hash: 567128170a557ce9e7456b261e16ec9ad56ea7ac1bd90cb97b237dc007736731
Instruction Fuzzy Hash: 64A1F37A91A3C0CFC715CB7E7C451A57FA47B67304B085A9AE08DD7BA2F2604688DB31

Function 00CA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CA50AA,?,?,00000000,00000000), ref: 00CA42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CA50AA,?,?,00000000,00000000), ref: 00CA42C9
LoadResource.KERNEL32(?,00000000,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20), ref: 00CE35BE
SizeofResource.KERNEL32(?,00000000,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20), ref: 00CE35D3
LockResource.KERNEL32(00CA50AA,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20,?), ref: 00CE35E6

Strings

SCRIPT, xrefs: 00CA42BF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3d9c1951c1989699f48eab2a8ee3bd5c8681c24d2c16f7afdf057dc5ed975762
Instruction ID: 16cdc337e22fae8ca31e96f1b14659934c6ecc9cfb362e20642e4bc8e7e1a4a8
Opcode Fuzzy Hash: 3d9c1951c1989699f48eab2a8ee3bd5c8681c24d2c16f7afdf057dc5ed975762
Instruction Fuzzy Hash: 80118E75240701BFD7258B65DC48F277BB9EBC6B55F104269F412EA250DBB1DD008730

Function 00CE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CA2B6B

Part of subcall function 00CA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D71418,?,00CA2E7F,?,?,?,00000000), ref: 00CA3A78

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D62224), ref: 00CE2C10
ShellExecuteW.SHELL32(00000000,?,?,00D62224), ref: 00CE2C17

Strings

runas, xrefs: 00CE2C0B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 71a19e80c69f55467583fec9f1ade6360e66502cb445e2c3909900a20f41ac41
Instruction ID: 14a410c24147b5da4991358393bb32eef250b34925ec1ba647e6ca82c9dd0c20
Opcode Fuzzy Hash: 71a19e80c69f55467583fec9f1ade6360e66502cb445e2c3909900a20f41ac41
Instruction Fuzzy Hash: 7F11B4312083835BC714FF68E8669BE77A49B9335CF44552DF057521A2DF208A4AA732

Function 00D0DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00CE5222), ref: 00D0DBCE
GetFileAttributesW.KERNEL32(?), ref: 00D0DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00D0DBEE
FindClose.KERNEL32(00000000), ref: 00D0DBFA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 72101fbcc153c051422b1d5290610a1d9178e43264c8eedae0f70726e1a0288f
Instruction ID: 99e105c7f183cf2045e32cf12e286e5c5438b736e4e211dd8a9b3975ad87a8a6
Opcode Fuzzy Hash: 72101fbcc153c051422b1d5290610a1d9178e43264c8eedae0f70726e1a0288f
Instruction Fuzzy Hash: EEF0A73142062057D2206BB89C0D56F3B7D9E05334B144703F879D11E0EBB0595486BD

Function 00CAD731 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CAD807
timeGetTime.WINMM ref: 00CADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CADB28
TranslateMessage.USER32(?), ref: 00CADB7B
DispatchMessageW.USER32(?), ref: 00CADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CADB9F
Sleep.KERNEL32(0000000A), ref: 00CADBB1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0874d1c12d1992da447b381f6f446e1862bcf690577905970519884fc07c87b6
Instruction ID: f0e7da320600481fb9aeb052921aca58a0bbcdba6e2d8dfd62aac1f8a5fadfce
Opcode Fuzzy Hash: 0874d1c12d1992da447b381f6f446e1862bcf690577905970519884fc07c87b6
Instruction Fuzzy Hash: A242D130608346DFD768CF25C884BBAB7E0BF46318F144619E967876A1D770E984DBA3

Function 00CA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CA2D07
RegisterClassExW.USER32(00000030), ref: 00CA2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CA2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CA2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CA2D6F
LoadIconW.USER32(000000A9), ref: 00CA2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CA2D94

Strings

0, xrefs: 00CA2CE9
+, xrefs: 00CA2CF0
AutoIt v3 GUI, xrefs: 00CA2D23
TaskbarCreated, xrefs: 00CA2D37

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 13ff7899c5ff3461d3ec67ffec0fc217f0ad6f1c379808fad1ed9d318440c1d0
Instruction ID: 1611533b31fd5b976eaf2a4497ea232bef6b2c5f60b6251900ac8bdfd1ecc788
Opcode Fuzzy Hash: 13ff7899c5ff3461d3ec67ffec0fc217f0ad6f1c379808fad1ed9d318440c1d0
Instruction Fuzzy Hash: 8E21E7B9911309AFDB00DFA8E849BDDBBB4FB08700F10521AEA15F6390E7B145448FA0

Function 00CE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE039A: CreateFileW.KERNEL32(00000000,00000000,?,00CE0704,?,?,00000000,?,00CE0704,00000000,0000000C), ref: 00CE03B7

GetLastError.KERNEL32 ref: 00CE076F
__dosmaperr.LIBCMT ref: 00CE0776
GetFileType.KERNEL32(00000000), ref: 00CE0782
GetLastError.KERNEL32 ref: 00CE078C
__dosmaperr.LIBCMT ref: 00CE0795
CloseHandle.KERNEL32(00000000), ref: 00CE07B5
CloseHandle.KERNEL32(?), ref: 00CE08FF
GetLastError.KERNEL32 ref: 00CE0931
__dosmaperr.LIBCMT ref: 00CE0938

Strings

H, xrefs: 00CE08BD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 287cec263b0eb354977916f226bb563c9eccfe30e7a29fbab20e4ac96cfd789a
Instruction ID: 915c3f220dff9d35e70168e6f3c222c6fe255576b369fd69b104543b1706c0f8
Opcode Fuzzy Hash: 287cec263b0eb354977916f226bb563c9eccfe30e7a29fbab20e4ac96cfd789a
Instruction Fuzzy Hash: 19A13732A002848FDF19AF68D851BAE7BA1AB06320F24015DF815EB3D1D7719D93DBA1

Function 00CA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D71418,?,00CA2E7F,?,?,?,00000000), ref: 00CA3A78

Part of subcall function 00CA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CA356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CE318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CE31CE
RegCloseKey.ADVAPI32(?), ref: 00CE3210
_wcslen.LIBCMT ref: 00CE3277
_wcslen.LIBCMT ref: 00CE3286

Strings

\, xrefs: 00CE328C
Software\AutoIt v3\AutoIt, xrefs: 00CA3560
Include, xrefs: 00CE3184, 00CE31C5
\Include\, xrefs: 00CA3527

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c744959612dd88941c995a8d7da8af17554430ce4dd1cc002d86f67256d9a499
Instruction ID: 9b198f330af10d291e6cac08757f8afcc3cd607650009b6d93e7e209fef4696b
Opcode Fuzzy Hash: c744959612dd88941c995a8d7da8af17554430ce4dd1cc002d86f67256d9a499
Instruction Fuzzy Hash: 8571A1714043819EC304EF65DC869ABBBE8FF85354F40482EF589D72A1EB749A88DB71

Function 00CA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CA2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CA2B9D
LoadIconW.USER32(00000063), ref: 00CA2BB3
LoadIconW.USER32(000000A4), ref: 00CA2BC5
LoadIconW.USER32(000000A2), ref: 00CA2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CA2BEF
RegisterClassExW.USER32(?), ref: 00CA2C40

Part of subcall function 00CA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CA2D07
Part of subcall function 00CA2CD4: RegisterClassExW.USER32(00000030), ref: 00CA2D31
Part of subcall function 00CA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CA2D42
Part of subcall function 00CA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CA2D5F
Part of subcall function 00CA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CA2D6F
Part of subcall function 00CA2CD4: LoadIconW.USER32(000000A9), ref: 00CA2D85
Part of subcall function 00CA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CA2D94

Strings

#, xrefs: 00CA2C16
AutoIt v3, xrefs: 00CA2C2F
0, xrefs: 00CA2C0F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 62b08dd94e092f6bcbf6b99c9bc68b36ab19facfd9cdecf4b6d6fd368d8f3102
Instruction ID: fd8648db7f8c348b520a83cec27cc8d4b4705b30a5c3794adb7e19eca370a7c7
Opcode Fuzzy Hash: 62b08dd94e092f6bcbf6b99c9bc68b36ab19facfd9cdecf4b6d6fd368d8f3102
Instruction Fuzzy Hash: 77212CB9E10314ABDB109FA9EC56B9D7FB4FB48B50F10411AF508E67A0E7B15584CFA0

Function 00CA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CA316A,?,?), ref: 00CA31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CA316A,?,?), ref: 00CA3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CA3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CA316A,?,?), ref: 00CA3232
CreatePopupMenu.USER32 ref: 00CA3246
PostQuitMessage.USER32(00000000), ref: 00CA3267

Strings

TaskbarCreated, xrefs: 00CA322D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6f79845ab779561dd41f781f21d4689ee0879a9d43734fbb6f448c02c7381b3d
Instruction ID: e687aa99a59146e4452019a33a07ee454b27fc6dd5b33ebd11b6ba0829319a59
Opcode Fuzzy Hash: 6f79845ab779561dd41f781f21d4689ee0879a9d43734fbb6f448c02c7381b3d
Instruction Fuzzy Hash: DC412739250386ABDB151B7C9C2EB7D3A19E747348F040315FA2AD63E2E7618B40D7B1

Function 00CA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CA2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CA2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CA1CAD,?), ref: 00CA2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CA1CAD,?), ref: 00CA2CCF

Strings

AutoIt v3, xrefs: 00CA2C89, 00CA2C8E, 00CA2C8F
edit, xrefs: 00CA2CAC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dcb022980bea03d569288eb51f73eda80ef56eb36c50282fcb72ac2d29eda040
Instruction ID: 934f8234dbc14a1fd1feb8f02a986a2c6eefb233be447ee9fa665208bdae47de
Opcode Fuzzy Hash: dcb022980bea03d569288eb51f73eda80ef56eb36c50282fcb72ac2d29eda040
Instruction Fuzzy Hash: 3CF0DA795503A07AEB31176BAC09F773EBDD7C6F50F01515AF908E27A0E6611890DEB0

Function 00D2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D2AEA3

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

GetProcessId.KERNEL32(00000000), ref: 00D2AF38
CloseHandle.KERNEL32(00000000), ref: 00D2AF67

Strings

<, xrefs: 00D2AE6B
@, xrefs: 00D2AE72

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0ae529eb7e292a5e3b0a9689d150e120d64639c3f519d7a995f6bc5fa23c49b8
Instruction ID: c7973620461d8982e14f838728bee23185a309ccd30c5bc379908bc55343f5e4
Opcode Fuzzy Hash: 0ae529eb7e292a5e3b0a9689d150e120d64639c3f519d7a995f6bc5fa23c49b8
Instruction Fuzzy Hash: 06718C71A00629DFCB14EF58D484A9EBBF0FF09318F058499E816AB362D774ED45CBA1

Function 00D0E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D0E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D0E9A5
Sleep.KERNEL32(00000000), ref: 00D0E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D0E9B7
Sleep.KERNEL32 ref: 00D0E9F3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 83933fe337fdb6cc1e847e0cdaf0cef872ac24e2632ab09394d2268226c0abd4
Instruction ID: becd122e78c95907f2a6f665acbb3ddcacda4e49b3cedba092a2d2e3c5794744
Opcode Fuzzy Hash: 83933fe337fdb6cc1e847e0cdaf0cef872ac24e2632ab09394d2268226c0abd4
Instruction Fuzzy Hash: DA011731D01629DBCF00ABE6ED59BEDFB78FB09701F000956E946B2291CB7096549BB1

Function 00CA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B83

Strings

Control Panel\Mouse, xrefs: 00CA3B3E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0aa221730c27bd8f5516bc6ddce5f0d8f3a55824b4476226ea3ad2638ddfd241
Instruction ID: 4a83c00bd1c8bf4384e12433d51a38e91afa87ee58cddcb96c8222704af525c1
Opcode Fuzzy Hash: 0aa221730c27bd8f5516bc6ddce5f0d8f3a55824b4476226ea3ad2638ddfd241
Instruction Fuzzy Hash: 19112AB5521249FFDB208FA5EC99AAEB7B9EF05748B104459B805E7210D3319F409770

Function 00CA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CE33A2

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CA3A04

Strings

Line: , xrefs: 00CE33EB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ca65e7ebc6d675b8f6a623e940c87e5e6b380b95e6e5e974d1730074c759791a
Instruction ID: 6b343658e39a09eb598346af34bacafc2d8f326851dd289bc0fe10e913fb22eb
Opcode Fuzzy Hash: ca65e7ebc6d675b8f6a623e940c87e5e6b380b95e6e5e974d1730074c759791a
Instruction Fuzzy Hash: 5931F671408341AFC721EB64DC56FEBB7E8AB41318F00461EF499931A1EB709B49D7D2

Function 00CBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CC0668

Part of subcall function 00CC32A4: RaiseException.KERNEL32(?,?,?,00CC068A,?,00D71444,?,?,?,?,?,?,00CC068A,00CA1129,00D68738,00CA1129), ref: 00CC3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CC0685

Strings

Unknown exception, xrefs: 00CC0692

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a2a64ae26291a8cfa0759b522e31b08ee14e94b90dedb6279f2488bfc3ab7d3b
Instruction ID: b5dc62cbdae627264de5b3ce80366b5032d589ac00861a7c3a469a1bf82c604c
Opcode Fuzzy Hash: a2a64ae26291a8cfa0759b522e31b08ee14e94b90dedb6279f2488bfc3ab7d3b
Instruction Fuzzy Hash: D8F04F3490020DB78F04BAB5EC4AE9E7B6C5E40350F70853DF92496692EF71DB6AA690

Function 00CA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA1BF4
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA1BFC
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA1C07
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA1C12
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA1C1A
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA1C22

Part of subcall function 00CA1B4A: RegisterWindowMessageW.USER32(00000004,?,00CA12C4), ref: 00CA1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CA136A
OleInitialize.OLE32 ref: 00CA1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CE24AB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2272a2c3909c30b5bbe0bac8a0e03017cccb708182b7b659ce58ebbf39124178
Instruction ID: 54032aad866597610aa886c5944869049180585a9c3074a6d1aabb101b0a6b9b
Opcode Fuzzy Hash: 2272a2c3909c30b5bbe0bac8a0e03017cccb708182b7b659ce58ebbf39124178
Instruction Fuzzy Hash: C07199BC9213019EC388EF7DA8466993AF5FB89348B58832A940ED7361FB304484DF71

Function 00D0C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CA3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D0C259
KillTimer.USER32(?,00000001,?,?), ref: 00D0C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D0C270

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 39b40d65c60f021e9a730d102358517aca6f25dd4e3356d061b39fea4b150a62
Instruction ID: 65e143a133c998823c6b98dcbfa2cc02b4538fde9e387c77d9af46a757ac9be8
Opcode Fuzzy Hash: 39b40d65c60f021e9a730d102358517aca6f25dd4e3356d061b39fea4b150a62
Instruction Fuzzy Hash: AA31C370914344AFEB228F748855BEBBBEC9F06308F04149EE5DEA7281C7745A84CB65

Function 00CD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00CD85CC,?,00D68CC8,0000000C), ref: 00CD8704
GetLastError.KERNEL32(?,00CD85CC,?,00D68CC8,0000000C), ref: 00CD870E
__dosmaperr.LIBCMT ref: 00CD8739

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b66575f25cf9d80adb10f1e21809c4085fa74e9dba93cd07b2b691f3933cf16b
Instruction ID: 09dc2cca28b36c94b2bff036bf9c6288d960e780a01e005f3f3872c3d69718f1
Opcode Fuzzy Hash: b66575f25cf9d80adb10f1e21809c4085fa74e9dba93cd07b2b691f3933cf16b
Instruction Fuzzy Hash: 3001613360576026D6246734A845B7E6B498F81774F39011FFB28DB3E2DEB0CDC69260

Function 00CADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00CADB7B
DispatchMessageW.USER32(?), ref: 00CADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CADB9F
Sleep.KERNEL32(0000000A), ref: 00CADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00CF1CC9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: fff6562f27599e9db8d3b927193a43d11dc6f0d70e824cc89c272dfe7a02d445
Instruction ID: 5d00de99afb74336a04089a58226bae02be72223961806d89ee74de8d20b82a4
Opcode Fuzzy Hash: fff6562f27599e9db8d3b927193a43d11dc6f0d70e824cc89c272dfe7a02d445
Instruction Fuzzy Hash: E9F05E706043459BEB30CB609C49FEA73A8EB45710F104618EA6BD31C0EB3095888B76

Function 00CB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CB17F6

Strings

CALL, xrefs: 00CB17C6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c55cdd6262cff93bc640845a0450ba2baa31bb9105a441dab4ffc5eaa863fac4
Instruction ID: 614b49d53bf130771da19a123a7ff1aad2400a89132f6e4faedae1c73197fd93
Opcode Fuzzy Hash: c55cdd6262cff93bc640845a0450ba2baa31bb9105a441dab4ffc5eaa863fac4
Instruction Fuzzy Hash: 6622AB706083419FC714CF25C8A0AAABBF1FF85314F68891DF9968B3A1D731E945DB92

Function 00CA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CE2C8C

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00CA2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00CA2DC4

Strings

X, xrefs: 00CE2C5A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 0f9d3798246b517a842a8df4b55cf9828519ec9f9e7e7ea231f2f22d031ba133
Instruction ID: 94154f4a640e1a4af54b232b5783fc2c9544b9fe45d30c3f3234b6446dba0140
Opcode Fuzzy Hash: 0f9d3798246b517a842a8df4b55cf9828519ec9f9e7e7ea231f2f22d031ba133
Instruction Fuzzy Hash: CB219371A002989BDB05DF99C845BEE7BFCAF49308F004059E505F7341DBB49A899BA1

Function 00CA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CA3908

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b6c1f08c6d3ad757efff66a8bfe3a5f5bab2351fe0ad7f02e7a415a0b8700ddd
Instruction ID: 340dacf86898e224f3e3c9b0d030e95968ca23ab199fc56772e5d2a25eed2789
Opcode Fuzzy Hash: b6c1f08c6d3ad757efff66a8bfe3a5f5bab2351fe0ad7f02e7a415a0b8700ddd
Instruction Fuzzy Hash: 383180705043419FD720DF64D895797BBE8FB49708F00092EF599D7390E775AA44CB62

Function 00CBF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CBF661

Part of subcall function 00CAD731: GetInputState.USER32 ref: 00CAD807

Sleep.KERNEL32(00000000), ref: 00CFF2DE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: c30519fc0cb0b257158808aa617b6e27dc85603a10539c399d49e725be53ef70
Instruction ID: e9a6bceb34c88a2141dbcc919fd5bea1962100b2715286169ff149ef06f478c1
Opcode Fuzzy Hash: c30519fc0cb0b257158808aa617b6e27dc85603a10539c399d49e725be53ef70
Instruction Fuzzy Hash: 05F082312403069FD314EF69D855BAAB7E5EF46760F004029F85AD7361DB70AC00DBA1

Function 00CAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CABB4E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 07df77e55e855f3d01d14b60ccdb29e03fbe51dfc1c4ced22696baa234a477e9
Instruction ID: c31b63f9ac6112cb229261c46bbc5cceb3f66f37fa3735ff7d549f06d47008f9
Opcode Fuzzy Hash: 07df77e55e855f3d01d14b60ccdb29e03fbe51dfc1c4ced22696baa234a477e9
Instruction Fuzzy Hash: 1732C134A0020ADFDB14CF64C894BBEB7B5EF45718F248059EA15AB362D774EE81CB61

Function 00D258A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D25930

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 27584d54b18a78980417dadd2d6c6831aeb241e83ec572ec4840b6962b8b0c05
Instruction ID: b55f605a1283bd4dfbdd1d84764ed1e0217ccaf45c0ee8fcf6854fd2e84d596c
Opcode Fuzzy Hash: 27584d54b18a78980417dadd2d6c6831aeb241e83ec572ec4840b6962b8b0c05
Instruction Fuzzy Hash: 9671AD30600225AFCB14DF54E882EBAB7F5FF68308F148169F94997285E771ED81DBA0

Function 00D32598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00D32649

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 252a11c6e0873b993c326b9281add8425c4f4da429105828d4bcfa09cc837e95
Instruction ID: 99fc00cfc5ceb8559857317a6081655b54a51d4a0339e88537c91cb8d194f830
Opcode Fuzzy Hash: 252a11c6e0873b993c326b9281add8425c4f4da429105828d4bcfa09cc837e95
Instruction Fuzzy Hash: E621D47560061AAFD710DF18C8D1E76B799EF45368F18806CE8968B392C771ED41CBB0

Function 00D313B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00D31420

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ad812eb819f049a510e19c1dd2201fe77a73f279bc47995506bef55883592240
Instruction ID: 3d891849e00bee24832de7e85563bf08e9ecd051193246f1f4529ca2a042c9a3
Opcode Fuzzy Hash: ad812eb819f049a510e19c1dd2201fe77a73f279bc47995506bef55883592240
Instruction Fuzzy Hash: E5319134604603AFD714EF29C491B69F7A2FF45328F048168E8594B392DB31EC41CBE0

Function 00CA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E9C
Part of subcall function 00CA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CA4EAE
Part of subcall function 00CA4E90: FreeLibrary.KERNEL32(00000000,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EFD

Part of subcall function 00CA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E62
Part of subcall function 00CA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CA4E74
Part of subcall function 00CA4E59: FreeLibrary.KERNEL32(00000000,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E87

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3dea37b7f619cdbdaebbbe7818db61ef5d83e789f45772d3dba45fc3a1a56b95
Instruction ID: 9912364e94fa306e3394ebb9f403862c877fcd44b19db9d21a481c6ffdf86861
Opcode Fuzzy Hash: 3dea37b7f619cdbdaebbbe7818db61ef5d83e789f45772d3dba45fc3a1a56b95
Instruction Fuzzy Hash: F811E732610206AECB18ABA5DC06FADB7A59F81714F20842DF552B71C1DEB1AE45A760

Function 00CD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CD8440

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 517608472ca71d8fd715736d144a4877f4f8d7f6c3065a3a28b6688149758821
Instruction ID: f849ac841ef32f91c291cdda71be5466d358a1e651e9b4b61425ea5d1722ad05
Opcode Fuzzy Hash: 517608472ca71d8fd715736d144a4877f4f8d7f6c3065a3a28b6688149758821
Instruction Fuzzy Hash: 8511187590420AAFCB05DF58E941A9F7BF5FF48314F10405AF918AB312DB31EA15CBA5

Function 00CD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CD4C7D: RtlAllocateHeap.NTDLL(00000008,00CA1129,00000000,?,00CD2E29,00000001,00000364,?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?), ref: 00CD4CBE

_free.LIBCMT ref: 00CD506C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8027b9d558863091732c92e195847d1970dedc5b1329384418793bec94e9ee61
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: AC0126722047046BE3218E659881A5AFBECFB89370F25051EE294833C0EA30A905C6B4

Function 00D329BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00D314B5,?), ref: 00D32A01

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b5a34f77769747940f42b68a6af3c0851fcabeec57c42736c028c0b06ba95189
Instruction ID: 32f7936a1d6210120e5b20c31cea8745990878bea7353ac279c3c4feeefd1bbc
Opcode Fuzzy Hash: b5a34f77769747940f42b68a6af3c0851fcabeec57c42736c028c0b06ba95189
Instruction Fuzzy Hash: BD01B136B80A41AFD325CA2CC495B3237A2EB85354F2D8468C1878B251DB32FC42CBB0

Function 00CCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 93ab542fed98b12c4feb0f467adf10fce37e101716b445e7020471521c490bcf
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2EF0F432521A18D7C6313A7ACC05F9A339C9F63330F10072EF621922D2DB74E906A6A5

Function 00D3149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 00D314EB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c2a500c9f463241afe2c0dee5b0ca90c1049ff331c5aa6767b47ebd3d8a71fcb
Instruction ID: 8901454782d479c74a9a6ce583a1b300418952cba8690d6eb3c0f304d7703471
Opcode Fuzzy Hash: c2a500c9f463241afe2c0dee5b0ca90c1049ff331c5aa6767b47ebd3d8a71fcb
Instruction Fuzzy Hash: 5901F7393057429FD320CFA9D840826BB95FF85324B58806DE84ACB712D672DD82CBF0

Function 00CA9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA9CBD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: a4c8e0878007df0ef1154bed7fbda8674779e0b16340f6945e7a0ecc52953df3
Instruction ID: 503601a6138ceeda759ba81596cee130d77739bdfa83048d0eae1757846647b1
Opcode Fuzzy Hash: a4c8e0878007df0ef1154bed7fbda8674779e0b16340f6945e7a0ecc52953df3
Instruction Fuzzy Hash: 16F0C8B36006116ED7149F39DC07FA7BB98EB44760F10852EF619CB2D1DB31E51097A0

Function 00CD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00CA1129,00000000,?,00CD2E29,00000001,00000364,?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?), ref: 00CD4CBE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6fb95648a456e4b801c73f792273babacaff3b658f407f29a64b62eda623f0be
Instruction ID: 9ff0f6fa4f846b7597f77e728e944781f53545768b99ccd6d2f1a1bc6d619227
Opcode Fuzzy Hash: 6fb95648a456e4b801c73f792273babacaff3b658f407f29a64b62eda623f0be
Instruction Fuzzy Hash: 7DF0E93172222467DB295F66DC05F5A3789BFD17A1B15811BFB29EA380CB70D90196E0

Function 00CD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bbffe3c9b4482090ee36f780f49a80b90c1cf6d0250ad88ed9aaf8c380e65da
Instruction ID: 3c18f9799b70245a11804a227fcb8014105e5330f95af80cd13a3ed9c8137507
Opcode Fuzzy Hash: 9bbffe3c9b4482090ee36f780f49a80b90c1cf6d0250ad88ed9aaf8c380e65da
Instruction Fuzzy Hash: 71E0E5312003A456D7212667DC00F9A374AAB427B0F09012BFE24D67C0DB50DF01B2F2

Function 00CA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4F6D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0c979c33aa4d999ce06b9255a17ef8aa2f4a89236afa4c8b8bcd4096d876ef5d
Instruction ID: 360abd2ee178dcfba583855524182e7571c18ba082a4cb405ec391100ff12bb8
Opcode Fuzzy Hash: 0c979c33aa4d999ce06b9255a17ef8aa2f4a89236afa4c8b8bcd4096d876ef5d
Instruction Fuzzy Hash: 5BF03971105752CFDB389FA5D890822BBE4AF5632D320997EE1EA82621C7B19844EF51

Function 00D32A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D32A66

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b0a3579688fe8180c6a7d808a38fee1bbbf585b10988d12aa228a712df84fede
Instruction ID: a651f0058c8f4182f8e74027b22fc2c6c94283777ab3d29db410941029d17bcb
Opcode Fuzzy Hash: b0a3579688fe8180c6a7d808a38fee1bbbf585b10988d12aa228a712df84fede
Instruction Fuzzy Hash: ECE0DF36750216ABC710EA30EC809FA735CEF10390B004036FC1AC2140DB30C99186B0

Function 00CA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00CA2DC4

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3c8fdf593d830b4a48727aa77bc32dadc1bab160bf9812b944d391fde7befad5
Instruction ID: c75159b90437ab19d606c36d68b0c49bdc82ba737e5877443bfdfb1ed12bcc8a
Opcode Fuzzy Hash: 3c8fdf593d830b4a48727aa77bc32dadc1bab160bf9812b944d391fde7befad5
Instruction Fuzzy Hash: 72E0C276A002245BCB21E7989C06FEA77EDDFC8790F0800B1FD09E7248DA70AD8096A0

Function 00CA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CA3908

Part of subcall function 00CAD731: GetInputState.USER32 ref: 00CAD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CA2B6B

Part of subcall function 00CA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CA314E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4041dd46524563b8be07acb20faf0e332e1d8b68d0b35b6d04f93821b286b2b0
Instruction ID: 0d1c2a78e5813a545ea6f2909ea8c270e99392706b9bafdb51f6b872948d8e02
Opcode Fuzzy Hash: 4041dd46524563b8be07acb20faf0e332e1d8b68d0b35b6d04f93821b286b2b0
Instruction Fuzzy Hash: 53E0262230028607C608BB38A8264BDA349CBD335DF40153EF047832A2DE2446455321

Function 00D03D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D03D18

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: f2e707e9e337b40ef79a1b3d0b2d4a69e467697929027bc21b07388a272aeec5
Instruction ID: 0f098bf1c035a6ad3b3ca6cf2bb134b2bee42c3a76363b216773e2928682ab93
Opcode Fuzzy Hash: f2e707e9e337b40ef79a1b3d0b2d4a69e467697929027bc21b07388a272aeec5
Instruction Fuzzy Hash: 3BD012E06A03087EFB0083718C0BEBB329CC316A81F004BA47A02E65C1D9A0DE080230

Function 00CE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00CE0704,?,?,00000000,?,00CE0704,00000000,0000000C), ref: 00CE03B7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac93ffc9345b96b0bd5d01fe81fefae57dd35afa5012a91119cc6f8af98ad5ad
Instruction ID: c6e7d4edb44bd459e0938956ed05e221a4429cd43705fe1294d43f5370eec8d3
Opcode Fuzzy Hash: ac93ffc9345b96b0bd5d01fe81fefae57dd35afa5012a91119cc6f8af98ad5ad
Instruction Fuzzy Hash: B2D06C3205020DBBDF028F84DD06EDA3BAAFB48714F014000BE18A6120C732E821AB90

Function 00CA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CA1CBC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a5dca6a1dd0f4cc68294065b10d30d443789fb6c7b67a1893e0d6898eda5ef97
Instruction ID: cf7a8a48fe4a40550f5c48fb5f297a564ea801b99605ea061d6ad5a1f9361af9
Opcode Fuzzy Hash: a5dca6a1dd0f4cc68294065b10d30d443789fb6c7b67a1893e0d6898eda5ef97
Instruction Fuzzy Hash: 21C0923B290304EFF2148B94BC4BF207764A348B00F048001F64DE9BE3E3A228A0EB70

Non-executed Functions

Function 00D39576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D3961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D3969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D396C9
SendMessageW.USER32 ref: 00D396F2
GetKeyState.USER32(00000011), ref: 00D3978B
GetKeyState.USER32(00000009), ref: 00D39798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D397AE
GetKeyState.USER32(00000010), ref: 00D397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D397E9
SendMessageW.USER32 ref: 00D39810
SendMessageW.USER32(?,00001030,?,00D37E95), ref: 00D39918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D3992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D39941
SetCapture.USER32(?), ref: 00D3994A
ClientToScreen.USER32(?,?), ref: 00D399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D399D6
ReleaseCapture.USER32 ref: 00D399E1
GetCursorPos.USER32(?), ref: 00D39A19
ScreenToClient.USER32(?,?), ref: 00D39A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D39A80
SendMessageW.USER32 ref: 00D39AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D39AEB
SendMessageW.USER32 ref: 00D39B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D39B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D39B4A
GetCursorPos.USER32(?), ref: 00D39B68
ScreenToClient.USER32(?,?), ref: 00D39B75
GetParent.USER32(?), ref: 00D39B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D39BFA
SendMessageW.USER32 ref: 00D39C2B
ClientToScreen.USER32(?,?), ref: 00D39C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D39CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D39CDE
SendMessageW.USER32 ref: 00D39D01
ClientToScreen.USER32(?,?), ref: 00D39D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D39D82

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

GetWindowLongW.USER32(?,000000F0), ref: 00D39E05

Strings

F, xrefs: 00D39D07
@GUI_DRAGID, xrefs: 00D3997D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: f3e3762e403069a1b433a2f0ba989cd6b6a6a30d93a32520e5e355a98db5b942
Instruction ID: 2920cacada72f44b01cfd09caa680de86f2511781aaa0d014ef65aedf3a7eec7
Opcode Fuzzy Hash: f3e3762e403069a1b433a2f0ba989cd6b6a6a30d93a32520e5e355a98db5b942
Instruction Fuzzy Hash: DF42AA35205301AFDB24CF28CCA5AAABBE5FF49310F180619F699D72A1D7B1E851CF61

Function 00D34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D34908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D34927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D3494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D3495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D3497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D34A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D34A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D34A7E
IsMenu.USER32(?), ref: 00D34A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D34AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D34B20
GetWindowLongW.USER32(?,000000F0), ref: 00D34B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D34BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D34C82
wsprintfW.USER32 ref: 00D34CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D34CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D34CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D34D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D34D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D34D5A

Strings

%d/%02d/%02d, xrefs: 00D34CA8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: dd01d2bd43a48d97191de84dbe893b99fbe3c44a7c94f749055687863cada81b
Instruction ID: b40f60e5fa4656143811ff181a6b1095ccd0ec246c02ee1fb6b29550ef4c3ad9
Opcode Fuzzy Hash: dd01d2bd43a48d97191de84dbe893b99fbe3c44a7c94f749055687863cada81b
Instruction Fuzzy Hash: CE12D071600354ABEB248F28DC49FAE7BF8EF45710F184129F515EA2E1DB78E941CB60

Function 00CBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CBF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CFF474
IsIconic.USER32(00000000), ref: 00CFF47D
ShowWindow.USER32(00000000,00000009), ref: 00CFF48A
SetForegroundWindow.USER32(00000000), ref: 00CFF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CFF4AA
GetCurrentThreadId.KERNEL32 ref: 00CFF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CFF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CFF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CFF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CFF4DE
SetForegroundWindow.USER32(00000000), ref: 00CFF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF4F6
keybd_event.USER32(00000012,00000000), ref: 00CFF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF50B
keybd_event.USER32(00000012,00000000), ref: 00CFF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF519
keybd_event.USER32(00000012,00000000), ref: 00CFF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF528
keybd_event.USER32(00000012,00000000), ref: 00CFF52D
SetForegroundWindow.USER32(00000000), ref: 00CFF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CFF557

Strings

Shell_TrayWnd, xrefs: 00CFF46F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 212bcfb8870ce12baa89b785c525e378db48320f53a9ae95dd3977714b0503eb
Instruction ID: 081399163b3d8fd074d740167a5402e8651bb6a45bbb19d4a3c5648b4e93adcf
Opcode Fuzzy Hash: 212bcfb8870ce12baa89b785c525e378db48320f53a9ae95dd3977714b0503eb
Instruction Fuzzy Hash: B4313E71A50318BBEB206BB55C4AFBF7E6CEB44B50F141069FA01F62D1C6B19901ABB1

Function 00D01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
Part of subcall function 00D016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
Part of subcall function 00D016C3: GetLastError.KERNEL32 ref: 00D0174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D01286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D012A8
CloseHandle.KERNEL32(?), ref: 00D012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D012D1
GetProcessWindowStation.USER32 ref: 00D012EA
SetProcessWindowStation.USER32(00000000), ref: 00D012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D01310

Part of subcall function 00D010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D011FC), ref: 00D010D4
Part of subcall function 00D010BF: CloseHandle.KERNEL32(?,?,00D011FC), ref: 00D010E9

Strings

winsta0, xrefs: 00D012CC
, xrefs: 00D0125A
default, xrefs: 00D0130B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 8d5ff87a643890fc63ff3b25cf9aaaec71e4e003901b7100bdf95f8264d014ec
Instruction ID: 08b3faed44d2c28a640f62ace9d6701c6e1a4f0c5cf7e74f569852876c20989f
Opcode Fuzzy Hash: 8d5ff87a643890fc63ff3b25cf9aaaec71e4e003901b7100bdf95f8264d014ec
Instruction Fuzzy Hash: 2C816575900249ABDF219FA4DC49BEE7BB9EF04704F184129F918F62A0C771DA58CB30

Function 00D00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
Part of subcall function 00D010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
Part of subcall function 00D010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
Part of subcall function 00D010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D00BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D00C00
GetLengthSid.ADVAPI32(?), ref: 00D00C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D00C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D00C6D
GetLengthSid.ADVAPI32(?), ref: 00D00C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D00C8C
HeapAlloc.KERNEL32(00000000), ref: 00D00C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D00CB4
CopySid.ADVAPI32(00000000), ref: 00D00CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D00CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D00D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D00D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D45
HeapFree.KERNEL32(00000000), ref: 00D00D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D55
HeapFree.KERNEL32(00000000), ref: 00D00D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D65
HeapFree.KERNEL32(00000000), ref: 00D00D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D00D78
HeapFree.KERNEL32(00000000), ref: 00D00D7F

Part of subcall function 00D01193: GetProcessHeap.KERNEL32(00000008,00D00BB1,?,00000000,?,00D00BB1,?), ref: 00D011A1
Part of subcall function 00D01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D00BB1,?), ref: 00D011A8
Part of subcall function 00D01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D00BB1,?), ref: 00D011B7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 357ae1b1a9afac5bb23ae605c8341ae082ba9caba71e0868cc7b38781d000da4
Instruction ID: a04c49032243b9394daad2c2cc587767cc46d739c82ddfb01e1eaa454080618d
Opcode Fuzzy Hash: 357ae1b1a9afac5bb23ae605c8341ae082ba9caba71e0868cc7b38781d000da4
Instruction Fuzzy Hash: 1D711676A0020ABBDF10DFA4DC45BEEBBBDAF04310F184525E919E6291D775AA05CBB0

Function 00D1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D3CC08), ref: 00D1EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D1EB37
GetClipboardData.USER32(0000000D), ref: 00D1EB43
CloseClipboard.USER32 ref: 00D1EB4F
GlobalLock.KERNEL32(00000000), ref: 00D1EB87
CloseClipboard.USER32 ref: 00D1EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D1EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D1EBC9
GetClipboardData.USER32(00000001), ref: 00D1EBD1
GlobalLock.KERNEL32(00000000), ref: 00D1EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D1EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D1EC38
GetClipboardData.USER32(0000000F), ref: 00D1EC44
GlobalLock.KERNEL32(00000000), ref: 00D1EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D1EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D1EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D1ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D1ECF3
CountClipboardFormats.USER32 ref: 00D1ED14
CloseClipboard.USER32 ref: 00D1ED59

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 000b56a6d723c015785c530dd1d4cf6f6320c049da273b3866189cb262bdcce0
Instruction ID: 96c52d07a82a68100b43a27375df346871c3805709661b0aa883ffd8debb84ee
Opcode Fuzzy Hash: 000b56a6d723c015785c530dd1d4cf6f6320c049da273b3866189cb262bdcce0
Instruction Fuzzy Hash: 9261C135204302AFD300EF24E889FAA77A4EF85714F085519F856D72A2DF71D985DBB2

Function 00D1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D169BE
FindClose.KERNEL32(00000000), ref: 00D16A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D16A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D16A75

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D16AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D16ADF

Strings

%03d, xrefs: 00D16DA2
%02d, xrefs: 00D16C00, 00D16C0A, 00D16C5A, 00D16CAA, 00D16CFA, 00D16D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00D16B6A
%4d, xrefs: 00D16BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D16B32

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: fbb816fcbe7fab2cf200cb5750a7a802d363530c7c4156bd1b7e188b505e3d1e
Instruction ID: 55204b5afb840e6d5df06157a92e626db567aba1698a7ba8f6861e0bc1eed585
Opcode Fuzzy Hash: fbb816fcbe7fab2cf200cb5750a7a802d363530c7c4156bd1b7e188b505e3d1e
Instruction Fuzzy Hash: C6D14F72508301AFC710EBA4DC86EABB7ECEF89708F04491DF585D6291EB74DA44DB62

Function 00D19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00D19663
GetFileAttributesW.KERNEL32(?), ref: 00D196A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D196BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D196D3
FindClose.KERNEL32(00000000), ref: 00D196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1974A
SetCurrentDirectoryW.KERNEL32(00D66B7C), ref: 00D19768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D19772
FindClose.KERNEL32(00000000), ref: 00D1977F
FindClose.KERNEL32(00000000), ref: 00D1978F

Strings

*.*, xrefs: 00D196F5

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f2134b68af531f0e0c20300495a79e312751aa696fbf965b1b59ce5619feb879
Instruction ID: f4ca51ebe6ad5e0191b0631743f7a0607aba82da63e58f92c14d1f9f00e49080
Opcode Fuzzy Hash: f2134b68af531f0e0c20300495a79e312751aa696fbf965b1b59ce5619feb879
Instruction Fuzzy Hash: A831A036650219BFDB14AFB4EC69ADEB7ACAF09321F144165F815E21E0DB30DA84CB34

Function 00D1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00D197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D19819
FindClose.KERNEL32(00000000), ref: 00D19824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D19840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D19890
SetCurrentDirectoryW.KERNEL32(00D66B7C), ref: 00D198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D198B8
FindClose.KERNEL32(00000000), ref: 00D198C5
FindClose.KERNEL32(00000000), ref: 00D198D5

Part of subcall function 00D0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D0DB00

Strings

*.*, xrefs: 00D1983B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c2bced4d5ab484b80a8f97ae996867f45b612a68c5d68022fc20899939aa6dce
Instruction ID: 8502e3deeafe49d749ad17cdb6ffae921503a83e2ec7f43cd7421508642a7212
Opcode Fuzzy Hash: c2bced4d5ab484b80a8f97ae996867f45b612a68c5d68022fc20899939aa6dce
Instruction Fuzzy Hash: 333183325406197EDB14AFB4FC68ADEB7ACAF06320F144166E854E2190DF31D9C5CB74

Function 00D2BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00D2BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00D2BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D2C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D2C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D2C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D2C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00D2C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D2C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D2C382
RegCloseKey.ADVAPI32(00000000), ref: 00D2C38F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 28e0e78331ea4e6b41021ee384f95b7f9b1575cf375615e1e8abd6a2b57a9747
Instruction ID: 1532460314465470d9bc36a3b575959903835e206090ea2a67e7a4f3b04c43eb
Opcode Fuzzy Hash: 28e0e78331ea4e6b41021ee384f95b7f9b1575cf375615e1e8abd6a2b57a9747
Instruction Fuzzy Hash: 00026E716142109FC714DF28D895E2ABBE5EF49318F18C89DF84ADB2A2DB31EC45CB61

Function 00D18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D18257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D18267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D18273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D18310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D1838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18395

Strings

*.*, xrefs: 00D1839B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c1ba882cdce423c6a6b3c5fe387b79f1d94c1745b68be5336783d58ac74a4520
Instruction ID: c9aba1711a3798c3bbec89af6614ab982691ac94c76cb64be031aa57cb7c9910
Opcode Fuzzy Hash: c1ba882cdce423c6a6b3c5fe387b79f1d94c1745b68be5336783d58ac74a4520
Instruction Fuzzy Hash: F2617CB2504305AFC710EF64D88099EB3E8FF89314F08891EF999D7251DB31E945DBA2

Function 00D0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D0D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D0D1DD
MoveFileW.KERNEL32(?,?), ref: 00D0D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D0D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D0D237

Part of subcall function 00D0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D0D21C,?,?), ref: 00D0D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D0D253
FindClose.KERNEL32(00000000), ref: 00D0D264

Strings

\*.*, xrefs: 00D0D0CD, 00D0D0D6, 00D0D0EB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6e028d88d14124bb97c7b8a620eb45e70ce22b9b62a3348c53d08eb8278dcda1
Instruction ID: c316d0d8c1ff471e972ae7a3ec0715f9bd4063c8938378aa48ab369be7ada884
Opcode Fuzzy Hash: 6e028d88d14124bb97c7b8a620eb45e70ce22b9b62a3348c53d08eb8278dcda1
Instruction Fuzzy Hash: 72616F31C0125E9BCF05EBE0D952AEDB776AF55304F244166E406771A1EB309F09DB71

Function 00D1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D1ED91
EmptyClipboard.USER32 ref: 00D1ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D1EDAC
CloseClipboard.USER32 ref: 00D1EEA3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 18c5286a10db868cb7934cdca5f6df4511c9734cb43afb93e3ec33a8d7873d9f
Instruction ID: fb6a20a41dc51cca80aeda52755d9cc6675868b88c952a373bd88bfc07e5eb49
Opcode Fuzzy Hash: 18c5286a10db868cb7934cdca5f6df4511c9734cb43afb93e3ec33a8d7873d9f
Instruction Fuzzy Hash: 17419D35204611AFD310DF25E889B5ABBE5EF44318F18C099E8199B762CB35EC81CBA0

Function 00D0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
Part of subcall function 00D016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
Part of subcall function 00D016C3: GetLastError.KERNEL32 ref: 00D0174A

ExitWindowsEx.USER32(?,00000000), ref: 00D0E932

Strings

, xrefs: 00D0E95C
, xrefs: 00D0E920
@, xrefs: 00D0E925
SeShutdownPrivilege, xrefs: 00D0E902

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d9d93c7851835c1059a4fc2414733463c569c54c706f1edf9e629479b753a238
Instruction ID: 52952626cd66fb9239cf90c31fb758c3d617cd1e2c87f6ba5c40ab8d4203a637
Opcode Fuzzy Hash: d9d93c7851835c1059a4fc2414733463c569c54c706f1edf9e629479b753a238
Instruction Fuzzy Hash: D701D673620311ABEB6467B4AC86BBB735CA714750F194D26FC4AF21D2D5A19C408AB4

Function 00D21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D21276
WSAGetLastError.WSOCK32 ref: 00D21283
bind.WSOCK32(00000000,?,00000010), ref: 00D212BA
WSAGetLastError.WSOCK32 ref: 00D212C5
closesocket.WSOCK32(00000000), ref: 00D212F4
listen.WSOCK32(00000000,00000005), ref: 00D21303
WSAGetLastError.WSOCK32 ref: 00D2130D
closesocket.WSOCK32(00000000), ref: 00D2133C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 482f8eef6b70cf689ad03b39c181d4659e734cb1764ecb743e6d962587c366a1
Instruction ID: 217ca191ddd68a856dab84c078e4690c6f6be5f61a2587b44f6b66ebd1cdb572
Opcode Fuzzy Hash: 482f8eef6b70cf689ad03b39c181d4659e734cb1764ecb743e6d962587c366a1
Instruction Fuzzy Hash: E9416F35A00211DFD710DF64D485B2ABBE6AF66318F18C198E8569F392C771ED81CBB1

Function 00CDB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDB9D4
_free.LIBCMT ref: 00CDB9F8
_free.LIBCMT ref: 00CDBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D43700), ref: 00CDBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CDBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D71270,000000FF,?,0000003F,00000000,?), ref: 00CDBC36
_free.LIBCMT ref: 00CDBD4B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0e02aa7955f514d2a5fa8d2302d3f40d4b37129f5f372b8af3c890d0fd1c0791
Instruction ID: d0b40e3e47b42f884505ebc0c2a86031a45b91522b23a518e31d1226751a7121
Opcode Fuzzy Hash: 0e02aa7955f514d2a5fa8d2302d3f40d4b37129f5f372b8af3c890d0fd1c0791
Instruction Fuzzy Hash: A8C12675904245EFCB209F69CC51BAABBB8EF41310F16419FE6A8D7352EB309E41E760

Function 00D0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D0D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D0D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D0D481
FindClose.KERNEL32(00000000), ref: 00D0D498
FindClose.KERNEL32(00000000), ref: 00D0D4A1

Strings

\*.*, xrefs: 00D0D3F2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1b9084cb181b97400dc0b5078ab19856a3ce51ea2f458e162b736e80f3460b30
Instruction ID: f27ebc318fa1b25c69cc3f7f0ad458bd507f3ed82c8252e4b3bc21330a2ad68d
Opcode Fuzzy Hash: 1b9084cb181b97400dc0b5078ab19856a3ce51ea2f458e162b736e80f3460b30
Instruction Fuzzy Hash: 723180310183469FC300EFA4D8969AFB7A8AE92304F444A1EF4D5931E1EB34EA09D773

Function 00CDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CDE645

Strings

1#INF, xrefs: 00CDF852
1#SNAN, xrefs: 00CDF844
1#IND, xrefs: 00CDF83D
1#QNAN, xrefs: 00CDF84B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 60e0478b12312fce15f87e03ce352cff947b999bc4b982a3ca2f900a1ae2ffb4
Instruction ID: eec0c1c873890e31947bc873ed93d50e58d70c8f9b03e305954be7d1cec74961
Opcode Fuzzy Hash: 60e0478b12312fce15f87e03ce352cff947b999bc4b982a3ca2f900a1ae2ffb4
Instruction Fuzzy Hash: FFC23871E086288BDB25DE28DD407EAB7B5FB49304F1541EBD95EE7240E774AE828F40

Function 00D1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D164DC
CoInitialize.OLE32(00000000), ref: 00D16639
CoCreateInstance.OLE32(00D3FCF8,00000000,00000001,00D3FB68,?), ref: 00D16650
CoUninitialize.OLE32 ref: 00D168D4

Strings

.lnk, xrefs: 00D164BA, 00D16524, 00D165E0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 717043a8e344774b4fdf43220d9c2a38a050a477ffb13ea58ba4eff1f5c25970
Instruction ID: 4f2a8e6ae66ab3f4a4286010f9276c51905c09c72f4ef6dd44eb0e072962a765
Opcode Fuzzy Hash: 717043a8e344774b4fdf43220d9c2a38a050a477ffb13ea58ba4eff1f5c25970
Instruction Fuzzy Hash: E3D14A71508301AFD304EF24D881EABB7E9FF95708F04496DF5958B291DB70E949CBA2

Function 00D222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D222E8

Part of subcall function 00D1E4EC: GetWindowRect.USER32(?,?), ref: 00D1E504

GetDesktopWindow.USER32 ref: 00D22312
GetWindowRect.USER32(00000000), ref: 00D22319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D22355
GetCursorPos.USER32(?), ref: 00D22381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D223DF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d030c76867c3f3f7b4ea9199dd4f1567ceb427fb88114e5f57be1dd3377d537b
Instruction ID: d88d1aa177515c1283d2f3db4495b14a0d6f273c194dab76d2293c94a17de0cf
Opcode Fuzzy Hash: d030c76867c3f3f7b4ea9199dd4f1567ceb427fb88114e5f57be1dd3377d537b
Instruction Fuzzy Hash: 7431C272504325AFD720DF54D845BABB7A9FF94314F040A1DF985E7291DB34E908CBA2

Function 00D19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D19B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D19C8B

Part of subcall function 00D13874: GetInputState.USER32 ref: 00D138CB
Part of subcall function 00D13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D13966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D19BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D19C75

Strings

*.*, xrefs: 00D19B5D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 68675590e3249f323e01cf0c71e8c806d617badf8910f7493ded20d77eec027e
Instruction ID: c4a9dce84c195563b5bab1157ee3757ad8cda2edc77e62c75eac5b3817d1728a
Opcode Fuzzy Hash: 68675590e3249f323e01cf0c71e8c806d617badf8910f7493ded20d77eec027e
Instruction Fuzzy Hash: 9C41607194420AAFCF14DF64D9A9AEEBBB9EF05310F244155F845A3291EB309E84DFB0

Function 00CB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CB9A4E
GetSysColor.USER32(0000000F), ref: 00CB9B23
SetBkColor.GDI32(?,00000000), ref: 00CB9B36

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 04dec0f553742ffebe11208bda07d778d1906a3cf1422adb42410b8d3d243c0e
Instruction ID: e64ac892bf540f66ce9744ef51485f9576af5ae8d55b47489433d00ed39aeb98
Opcode Fuzzy Hash: 04dec0f553742ffebe11208bda07d778d1906a3cf1422adb42410b8d3d243c0e
Instruction Fuzzy Hash: C6A13B70118558BEE769AB3D8C99EFB369DDF42340F15030AF322D66A1CA359E41E273

Function 00D21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
Part of subcall function 00D2304E: _wcslen.LIBCMT ref: 00D2309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D2185D
WSAGetLastError.WSOCK32 ref: 00D21884
bind.WSOCK32(00000000,?,00000010), ref: 00D218DB
WSAGetLastError.WSOCK32 ref: 00D218E6
closesocket.WSOCK32(00000000), ref: 00D21915

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 5a438f272463ec5f79b729fcbd56d62dddee06631f92e306c82affc125de2da0
Instruction ID: 10bd822651e5adcd9a04c62e3abb6e7bdb7b3677f39e264e22bb799b85ab98dd
Opcode Fuzzy Hash: 5a438f272463ec5f79b729fcbd56d62dddee06631f92e306c82affc125de2da0
Instruction Fuzzy Hash: 7851D275A00210AFDB10AF24D8C6F6AB7E5AB55718F188098F919AF3C3C771ED419BA1

Function 00D31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D31CC0
IsWindowEnabled.USER32 ref: 00D31CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D31CDB
IsIconic.USER32 ref: 00D31CE9
IsZoomed.USER32 ref: 00D31CF7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 432830fc00559dfeee929d1d75a1b9feec93cbdf2522e387adb8413c5b46b31b
Instruction ID: 9de2a1cbe65ab7e896ed9a5f046da4cd1cd0083af9f8efddbfd85dc7a0abe08f
Opcode Fuzzy Hash: 432830fc00559dfeee929d1d75a1b9feec93cbdf2522e387adb8413c5b46b31b
Instruction Fuzzy Hash: B421A1357402125FD7208F2AD894B6ABBA5EF85315F1DA068E84ADB351CB71EC42CBB0

Function 00CA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CE5DF0
VUUU, xrefs: 00CA843C
VUUU, xrefs: 00CA83E8
ERCP, xrefs: 00CA813C
VUUU, xrefs: 00CA83FA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 801d12fae94481a04aa0c2f715024017ce38e816143a328c33dc27311f6c7ef1
Instruction ID: e9ec3fbb37d1f6e4e19c7e0400e69d194b0fe3d50f8f2c3a5a4c5c6be0692ff7
Opcode Fuzzy Hash: 801d12fae94481a04aa0c2f715024017ce38e816143a328c33dc27311f6c7ef1
Instruction Fuzzy Hash: 69A2A270E0065ACBDF24CF59C8407AEB7B1FF55318F2481AAE825A7285DB709E85CF90

Function 00D2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D2A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D2A6BA

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D2A79C
CloseHandle.KERNEL32(00000000), ref: 00D2A7AB

Part of subcall function 00CBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CE3303,?), ref: 00CBCE8A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fdb12039b79b97356f61be6f78cc4db286dcc83935589f71f896b9a299ea96c9
Instruction ID: bc074a1bb16904c66819e642838657b8e9713a7bc1a093069bf2008b80c2ef08
Opcode Fuzzy Hash: fdb12039b79b97356f61be6f78cc4db286dcc83935589f71f896b9a299ea96c9
Instruction Fuzzy Hash: 41516F715083119FD710EF24D886A6BBBE8FF89758F04891DF585D72A1EB30D904DBA2

Function 00D0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D0AAAC
SetKeyboardState.USER32(00000080), ref: 00D0AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D0AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D0AB88

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 549d84ad0f8065374132807667064c78cd19e9c81cb111ca6786f64c975b5496
Instruction ID: ddc824b20a194a6bb44637fd92c64a0ca64b0a0b88f4a2804cc37eda59504acf
Opcode Fuzzy Hash: 549d84ad0f8065374132807667064c78cd19e9c81cb111ca6786f64c975b5496
Instruction Fuzzy Hash: 6531F431A40358AEFB35CB6DCC05BFA7BA6EB45320F08421AF599961E1D375C981C772

Function 00D1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D1CE89
GetLastError.KERNEL32(?,00000000), ref: 00D1CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D1CEFE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 19d9542177164d0c9d4bc02396862aeb411a214d5b9d7eff82b2854edf5905d4
Instruction ID: 40002fd6ae9334ce0fddb6290979a29845f25a5292babcdb814e13ae5d66550a
Opcode Fuzzy Hash: 19d9542177164d0c9d4bc02396862aeb411a214d5b9d7eff82b2854edf5905d4
Instruction Fuzzy Hash: 7621BDB1590305ABDB20CFA5E948BA7B7F8EF00314F14541EE546E2251EB74EE858BB4

Function 00D08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D082AA

Strings

|, xrefs: 00D082DA
(, xrefs: 00D082F0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c3a8b1723aefb73664eda943484a81027f0d497b2aeedc0e166e7bf806ba9a87
Instruction ID: bb3ce187f672bc26d224710d74d2b37d6f0dd51dbc7dc689fd17c23897bc4a79
Opcode Fuzzy Hash: c3a8b1723aefb73664eda943484a81027f0d497b2aeedc0e166e7bf806ba9a87
Instruction Fuzzy Hash: AD323474A007059FCB28CF69C481AAAB7F0FF48710B15C56EE49ADB3A1EB70E941DB54

Function 00D15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D15CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D15D17
FindClose.KERNEL32(?), ref: 00D15D5F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c7e83e2b5432426115841fe556622fe4a199918be63b71634bfa86a65fef3d5e
Instruction ID: fb8b0815948c0b7d8183023a8d9290b33d2c7e25bf25701768648bd6e9d95958
Opcode Fuzzy Hash: c7e83e2b5432426115841fe556622fe4a199918be63b71634bfa86a65fef3d5e
Instruction Fuzzy Hash: 64519C74604602EFC714CF28E494E96B7E4FF4A314F14855DE99A8B3A1CB34ED84CBA1

Function 00CD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CD271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CD2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CD2731

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 417518a70b0746a1542e70f971171a126e5ee1a86e5dbc1cb1a0432b98f4099c
Instruction ID: 7d55f51ffc8c1104af997b74e2f5463ab98f000379e0a51ac9773902eff2882e
Opcode Fuzzy Hash: 417518a70b0746a1542e70f971171a126e5ee1a86e5dbc1cb1a0432b98f4099c
Instruction Fuzzy Hash: F931D57591131CABCB21DF64DC88B9DBBB8AF18310F5041EAE91CA7260E7349F819F54

Function 00D151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D15238
SetErrorMode.KERNEL32(00000000), ref: 00D152A1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9838d3aa93960e48ce120e0fde223a2917ce53cd874bc350b5d7ca2189e4bf7e
Instruction ID: 1d7e35769ff493ae8ff5a58cc48f5047976166cbef3be474fa5529cb598f21ac
Opcode Fuzzy Hash: 9838d3aa93960e48ce120e0fde223a2917ce53cd874bc350b5d7ca2189e4bf7e
Instruction Fuzzy Hash: 6B315075A00619EFDB00DF94D884EADBBB4FF49318F088099E805AB396DB75E855CB60

Function 00D016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CC0668
Part of subcall function 00CBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CC0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
GetLastError.KERNEL32 ref: 00D0174A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e5f8a5e235fd6ab005609951fcf5aaf85442e44e61bf402756a6ea854f252168
Instruction ID: 4625b65f4e91ac7d027b0508a38aba9e0beb1f718009cf950e72ccba40341fb5
Opcode Fuzzy Hash: e5f8a5e235fd6ab005609951fcf5aaf85442e44e61bf402756a6ea854f252168
Instruction Fuzzy Hash: 2A1191B2514304AFD7189F64DC86EAAB7B9EB44714B24852EE05697281EB70FC418B30

Function 00D0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D0D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D0D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D0D650

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e10210b3db1ca8a6737d3b28d989b6923322997ee0cc57414e8113f1f55a397e
Instruction ID: e72bc8dbf1913c52c0c18d7227eae3639c91aa064d061d2112fa4efa96be8ceb
Opcode Fuzzy Hash: e10210b3db1ca8a6737d3b28d989b6923322997ee0cc57414e8113f1f55a397e
Instruction Fuzzy Hash: 16113C75E05328BBDB108F959C45FAFBBBCEB45B50F108126F908E7290D6704A058BA1

Function 00D01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D0168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D016A1
FreeSid.ADVAPI32(?), ref: 00D016B1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4b84d0c24b8a1b1c45698c65706b2212f5e6dd950dda721665744d22af329e3d
Instruction ID: 278e685827f7c02cec01daf0807bd76eba65b63bedce15adfd1512554a308f17
Opcode Fuzzy Hash: 4b84d0c24b8a1b1c45698c65706b2212f5e6dd950dda721665744d22af329e3d
Instruction Fuzzy Hash: 33F0F47595030DFBDB00DFE49D89AAEBBBCEB08704F504565E501E2281E774AA448B60

Function 00CC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000,?,00CD28E9), ref: 00CC4D09
TerminateProcess.KERNEL32(00000000,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000,?,00CD28E9), ref: 00CC4D10
ExitProcess.KERNEL32 ref: 00CC4D22

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6864ccffeaa6ed9c9adb2a9afa475a1a159908ea8b3686c85cc156b5c86a239b
Instruction ID: 9b75b0f127e5c9ac33c5fd6944e8002fa164041f2ddb4902c8182de7b42955f2
Opcode Fuzzy Hash: 6864ccffeaa6ed9c9adb2a9afa475a1a159908ea8b3686c85cc156b5c86a239b
Instruction Fuzzy Hash: 60E0B631010248ABCF15BF64DD1AF983B69FB41791B148418FD16DA222CB35DE52DB90

Function 00CDC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00CDC36C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0f9d135613fe0191cc0a937e7dbd9dbe91a7e710870c6b3c99fb6b976c264892
Instruction ID: 2aaead7019ef4960b50b6a10ab65543ee65474d85bef7fa6169aaafe7af06200
Opcode Fuzzy Hash: 0f9d135613fe0191cc0a937e7dbd9dbe91a7e710870c6b3c99fb6b976c264892
Instruction Fuzzy Hash: B3413B7650021A6FCB249FB9CC89EFB77B8EB84314F10426AFA15D7390E6709E41CB50

Function 00CFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CFD28C

Strings

X64, xrefs: 00CFD2A8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ca163c03e6b1a6afdde39b37ae90dae53e73c2a038021973dae6ece9bae2f186
Instruction ID: 496c020ceb8e3108a5f1b1c059c319de9e005474165f6d2e5426fbe457e09441
Opcode Fuzzy Hash: ca163c03e6b1a6afdde39b37ae90dae53e73c2a038021973dae6ece9bae2f186
Instruction Fuzzy Hash: DAD0C9B481111DEACB94DB90ECC8DDAB37CBB04305F100191F106E2100D73095488F20

Function 00CCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6e9ed51d140cab7be87228cfdc90ebae4805c6d8836eb40b60eec0c4952f73a6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 5E020C71E002199BDF14CFA9C980BADBBF1EF48314F25816DD929E7384D731AA418B94

Function 00D168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D16918
FindClose.KERNEL32(00000000), ref: 00D16961

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d643b829e2e7e9b13743e1b96033250fc7e8e215eb0a69fc49f0d351fd5fbb29
Instruction ID: 276346e4947f48efbd522e73e0d40bc9ce39a9d15decf398045d3ecb996f2cac
Opcode Fuzzy Hash: d643b829e2e7e9b13743e1b96033250fc7e8e215eb0a69fc49f0d351fd5fbb29
Instruction Fuzzy Hash: A51193356142119FC710DF69D884A16BBE5FF85328F14C699E4698F3A2CB30EC45CBA1

Function 00D137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D24891,?,?,00000035,?), ref: 00D137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D24891,?,?,00000035,?), ref: 00D137F4

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f1f2e7ef34ff765c2308656f6a296516f8d3ada21096fde08f0832cb53b21794
Instruction ID: c4df6a956fae669f120da6f58b860222edc0734273d54b953b7fa4db19c9a239
Opcode Fuzzy Hash: f1f2e7ef34ff765c2308656f6a296516f8d3ada21096fde08f0832cb53b21794
Instruction Fuzzy Hash: 03F0A0B16043292AE62057A69C49FEB3AAEEF85765F000175B509E2291D9609944C7B0

Function 00D0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D0B25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 00D0B270

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 86c53bd30b42a3cf5ee424ead5894331a23d3363d46dfab0a82505764c387ce0
Instruction ID: 394f5f6460132a065d275edb8bb07b32314eb8c4a13928f7b0a1910c3be3f93a
Opcode Fuzzy Hash: 86c53bd30b42a3cf5ee424ead5894331a23d3363d46dfab0a82505764c387ce0
Instruction Fuzzy Hash: 0FF01D7181424DABDB059FA0C805BAE7BB4FF04315F04900AF955A5191C379C6119FA4

Function 00D010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D011FC), ref: 00D010D4
CloseHandle.KERNEL32(?,?,00D011FC), ref: 00D010E9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 06373cb281f170af4f287948ee9436136fafa192d9041e7b928eca0b51fd86a9
Instruction ID: e59b962d92b005a8f49f0e088baab3aaa43cd2a39a2e92401337f0f85f869ea3
Opcode Fuzzy Hash: 06373cb281f170af4f287948ee9436136fafa192d9041e7b928eca0b51fd86a9
Instruction Fuzzy Hash: AAE0BF72014750AEE7252B61FC05EB777E9EB04310F14882DF5A5905B1DB62ACA1EB60

Function 00CACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CF0C40

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: fe0479857dd4c89c8012be41fd66669933f48c62345f6043dce578346ebd9811
Instruction ID: de4802c200d36af0d5412ad7c9a16716ade9683f0486638fb5ca334604894ae7
Opcode Fuzzy Hash: fe0479857dd4c89c8012be41fd66669933f48c62345f6043dce578346ebd9811
Instruction Fuzzy Hash: 17329A7090021ADFCF14DF94C885AFDB7B5FF06308F248069E916AB292DB35AE45DB61

Function 00CD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CD6766,?,?,00000008,?,?,00CDFEFE,00000000), ref: 00CD6998

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ca4f50ad80b6a84cba71cebdaef265e5ab2dbe69703a646387e01dbf0cf5573b
Instruction ID: 0b3ea1d68bb04f58d21aac9ff32d6f46105a68920ed3df894bd4d9ad1e6848c9
Opcode Fuzzy Hash: ca4f50ad80b6a84cba71cebdaef265e5ab2dbe69703a646387e01dbf0cf5573b
Instruction Fuzzy Hash: 13B14A316106099FD715CF28C48AB657BE0FF45364F25865AEAE9CF3A2C335EA81DB40

Function 00CBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CF851F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dd60f4085bc05c737cdf5be1c4af4b83f6ddb121cc1afaa05ad48bfb8ef37d07
Instruction ID: 768f22c4a820c72a9359019050a68883a55db904ad49ee95ff0555574d3ae567
Opcode Fuzzy Hash: dd60f4085bc05c737cdf5be1c4af4b83f6ddb121cc1afaa05ad48bfb8ef37d07
Instruction Fuzzy Hash: C5127E71A002299BDB64CF59C8806FEB7F5FF48310F10819AE949EB251DB709E85CFA1

Function 00D1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D1EABD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 73966990cdf8a5966e866875e690e0143eef858b9480c81730a9e14c133d4ccc
Instruction ID: c9f65d785cf0b46fa760db41b327ddbea64b17469127c0cef04dbf645b494e65
Opcode Fuzzy Hash: 73966990cdf8a5966e866875e690e0143eef858b9480c81730a9e14c133d4ccc
Instruction Fuzzy Hash: 70E04F32214205AFC710EF69E845E9AF7E9AF99764F048416FC4AD7361DB70EC808BA1

Function 00CC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CC03EE), ref: 00CC09DA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 18b4898833545ab2757a6b4b345049fe7e4e2c30d28c411ae063f180724f9699
Instruction ID: 1b20b1c7169589d335e568f73c26a39a180334010f0106ab48c23874d97b96a8
Opcode Fuzzy Hash: 18b4898833545ab2757a6b4b345049fe7e4e2c30d28c411ae063f180724f9699
Instruction Fuzzy Hash:

Function 00CC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CC798B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a57b903c28d125d9c4087abb48c6d0014ba974e88435184ab29152bacb84f7f1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5051756160C6055BDF388629C95AFBF2399DB12340F18070DEAA2EB6C2C625DF45EF52

Function 00CD6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9826ab65b07dd3bb65fc7d20d62bff264078b217e8482768c522ac57c030f916
Instruction ID: e86eb8c79b34a1ad8f2d0cf5ea0842e2ab52c91015115354eb10a13cb40023df
Opcode Fuzzy Hash: 9826ab65b07dd3bb65fc7d20d62bff264078b217e8482768c522ac57c030f916
Instruction Fuzzy Hash: 0C321326D29F014EDB239A34D862335A249AFB73C5F55C737F82AB5AA5FB39C5834100

Function 00CBCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973e589a0e05a889cde96530e2ab012e559f46c1ad1709d5944665a16a99867f
Instruction ID: a55f9771de67f94c4409d2f8025943f45b63dd3baffb2f0a6b5ee7a51443124f
Opcode Fuzzy Hash: 973e589a0e05a889cde96530e2ab012e559f46c1ad1709d5944665a16a99867f
Instruction Fuzzy Hash: D6321631B0411D8BDF68CF2DC6D46BD7BA1EB45300F28856AD66ACB295D230DE81EB52

Function 00CA7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298ccb54db53585f125a261f2d10a6fdacda6a9992204ff5c59e04b9bf9de6f8
Instruction ID: 341083f5d1495b33822acb87cf8e91a703195a7caa3c3df661c3752870b03fde
Opcode Fuzzy Hash: 298ccb54db53585f125a261f2d10a6fdacda6a9992204ff5c59e04b9bf9de6f8
Instruction Fuzzy Hash: 9E22B1B0A0064ADFDF14CF65D981AEEB3F5FF45308F204629E816A7291EB359E11DB60

Function 00CA91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbde04d0a9b30f3f794bb343144b4f11234ecdf654aa9887d1204b0c63373d66
Instruction ID: 95b22b3cba219d0105bfaa0ef54bad0790305f4b5dfc8c01a0c95db44e663e4d
Opcode Fuzzy Hash: fbde04d0a9b30f3f794bb343144b4f11234ecdf654aa9887d1204b0c63373d66
Instruction Fuzzy Hash: DD02B6B0E00246EBDB04DF65D881AAEB7B5FF44344F208169E816DB391EB31EE11DB95

Function 00CD9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26cdaae59d6f116cb56c2d49cdf34436d56b257955484ca2a0cd4e7dc874d8b
Instruction ID: 50cb3ada8cfffbf50bf92dcb73b7fe1f8d3dc0b3a79f4a7bf0c59357f184d877
Opcode Fuzzy Hash: e26cdaae59d6f116cb56c2d49cdf34436d56b257955484ca2a0cd4e7dc874d8b
Instruction Fuzzy Hash: 0EB10425D2AF404ED3239B398835336B65CAFBB6D5F51D71BFC16B4E62EB2286834140

Function 00CC1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: aad0dfc7937d5e211b0a38e10825c2f40727e655b1819483396eac13136814b0
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 959157725080A34AD72A463BC574A7DFFE15A533A131D079DECF3CA1C6EE24CA65D620

Function 00CC1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: ab90d0a0571dc54c657c796f59872bae87671b80a0a19a7306fdc66b5e1e7c90
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1B916B721090A349DB69467FC57493DFFE15A933A131E079ED8F2CB1C6EE24CA54D620

Function 00CC19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4946d0021240dce2e319e0f867d1c4e0ce7d64192ee87fdab6b525e51916d51b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 329125722090A34EDB2D467BC57493DFFE15A933A131D079DD8F2CA1C2FD24CA65AA20

Function 00CC7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b46efd753f4801304fdfdc76f62ec9e9fc8e47ed918d2463160761e52360511
Instruction ID: b64e7d45d99f10e22fbd83722f91230f146046bdc1a12ae3ac4758c13561cb40
Opcode Fuzzy Hash: 8b46efd753f4801304fdfdc76f62ec9e9fc8e47ed918d2463160761e52360511
Instruction Fuzzy Hash: 12616671608709A7DF349A28C9B6FBF2394DF41710F101B5EE863CB281DA119F82AF55

Function 00CC7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c27747832112b3605ba2cb41664d96f2e837838c49e97df6f1d34573f1ed724
Instruction ID: ecb8fd468c33d8d1c95b1a3261217f1ba4790c17a61213c848d0cde452a9ca79
Opcode Fuzzy Hash: 1c27747832112b3605ba2cb41664d96f2e837838c49e97df6f1d34573f1ed724
Instruction Fuzzy Hash: 24617A726087096BDE385A28C856FBF2394EF42740F100B5EF853DB681DA12EF46DE55

Function 00CC1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8e9516affb2bfb7095b9baad6bb6951176559e8a5f16476765b5e847aabfa27f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: ED81447250D0A349DB69463BC574A3EFFE15A933A131E079DD8F2CA1C3EE24D654E620

Function 00D12046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95822b9821b64f073c44fef441cb6fd47243b854d6573f9c6f224b9881a6d986
Instruction ID: 1247e2233fb19b2fc8e79c203144fb85e651bbf5253c92195db5c2588ae7caa6
Opcode Fuzzy Hash: 95822b9821b64f073c44fef441cb6fd47243b854d6573f9c6f224b9881a6d986
Instruction Fuzzy Hash: 9421BB326206118BD728CF79C8236BE73E5E754310F19862EE4A7C37D1DE36A944C750

Function 00D370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D3712F
GetSysColorBrush.USER32(0000000F), ref: 00D37160
GetSysColor.USER32(0000000F), ref: 00D3716C
SetBkColor.GDI32(?,000000FF), ref: 00D37186
SelectObject.GDI32(?,?), ref: 00D37195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D371C0
GetSysColor.USER32(00000010), ref: 00D371C8
CreateSolidBrush.GDI32(00000000), ref: 00D371CF
FrameRect.USER32(?,?,00000000), ref: 00D371DE
DeleteObject.GDI32(00000000), ref: 00D371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D37230
FillRect.USER32(?,?,?), ref: 00D37262
GetWindowLongW.USER32(?,000000F0), ref: 00D37284

Part of subcall function 00D373E8: GetSysColor.USER32(00000012), ref: 00D37421
Part of subcall function 00D373E8: SetTextColor.GDI32(?,?), ref: 00D37425
Part of subcall function 00D373E8: GetSysColorBrush.USER32(0000000F), ref: 00D3743B
Part of subcall function 00D373E8: GetSysColor.USER32(0000000F), ref: 00D37446
Part of subcall function 00D373E8: GetSysColor.USER32(00000011), ref: 00D37463
Part of subcall function 00D373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D37471
Part of subcall function 00D373E8: SelectObject.GDI32(?,00000000), ref: 00D37482
Part of subcall function 00D373E8: SetBkColor.GDI32(?,00000000), ref: 00D3748B
Part of subcall function 00D373E8: SelectObject.GDI32(?,?), ref: 00D37498
Part of subcall function 00D373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D374B7
Part of subcall function 00D373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D374CE
Part of subcall function 00D373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D374DB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a45ab020b8958b8d302a30a0addd81102ca649d32c4c6656064cd1789f934296
Instruction ID: b43ad55517581a9135d84439b1c83af3897262c9d46472833bda5ba35dfb7736
Opcode Fuzzy Hash: a45ab020b8958b8d302a30a0addd81102ca649d32c4c6656064cd1789f934296
Instruction Fuzzy Hash: 1DA1C072018701BFDB109F60DC48E6B7BA9FF48320F142A19F9A2E62E1D771E944DB61

Function 00CB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CB8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CF6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CF6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CF6F43

Part of subcall function 00CB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CB8BE8,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8FC5

SendMessageW.USER32(?,00001053), ref: 00CF6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CF6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CF6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CF6FB7

Strings

0, xrefs: 00CF6DCF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 32ed074ca80cf54b9c22978885b0f1eba203e1bb7408694d04fcfc0ec7d2749a
Instruction ID: fcecb91ec951debcb705f3bfc6ca5d609148c2df074ceb5f43e105c092e5798c
Opcode Fuzzy Hash: 32ed074ca80cf54b9c22978885b0f1eba203e1bb7408694d04fcfc0ec7d2749a
Instruction Fuzzy Hash: 3E12BC38200245EFDB65DF28C844BB6B7E5FB44300F144169E6A9DB261CB31ED96DFA2

Function 00D22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D2273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D2286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D22900
GetClientRect.USER32(00000000,?), ref: 00D2290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D22955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D22964
GetStockObject.GDI32(00000011), ref: 00D22974
SelectObject.GDI32(00000000,00000000), ref: 00D22978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D22988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D22991
DeleteDC.GDI32(00000000), ref: 00D2299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D22A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D22A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D22A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D22A77
GetStockObject.GDI32(00000011), ref: 00D22A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D22A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D22A97

Strings

msctls_progress32, xrefs: 00D22A13
AutoIt v3, xrefs: 00D228F8
DISPLAY, xrefs: 00D2295A
static, xrefs: 00D2294F, 00D22A71

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 60ad18aa6f28d9387d120d664c3bbca70c1a9f4b1000ef0b3f28193900d025cc
Instruction ID: a6d8bfa3cc735bc00bd96396356dc6229186870ef869170886ccdc50fc73fa03
Opcode Fuzzy Hash: 60ad18aa6f28d9387d120d664c3bbca70c1a9f4b1000ef0b3f28193900d025cc
Instruction Fuzzy Hash: 34B15C75A10215BFEB14DF68DC8AFAE7BA9EB08714F008214F915E72A1D774ED40CBA0

Function 00D14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D14AED
GetDriveTypeW.KERNEL32(?,00D3CB68,?,\\.\,00D3CC08), ref: 00D14BCA
SetErrorMode.KERNEL32(00000000,00D3CB68,?,\\.\,00D3CC08), ref: 00D14D36

Strings

SATA, xrefs: 00D14CD0
Fixed, xrefs: 00D14C09
Removable, xrefs: 00D14C10, 00D14C15
SAS, xrefs: 00D14CC9
Network, xrefs: 00D14C02
SSD, xrefs: 00D14C4A
\\.\, xrefs: 00D14B3F
ATAPI, xrefs: 00D14C91
PhysicalDrive, xrefs: 00D14B76
RAID, xrefs: 00D14CBB
SSA, xrefs: 00D14CA6
Unknown, xrefs: 00D14BED, 00D14C83
CDROM, xrefs: 00D14BFB
SCSI, xrefs: 00D14C8A
ATA, xrefs: 00D14C98
1394, xrefs: 00D14C9F
Virtual, xrefs: 00D14CE5
Fibre, xrefs: 00D14CAD
USB, xrefs: 00D14CB4
RAMDisk, xrefs: 00D14BF4
FileBackedVirtual, xrefs: 00D14CEC
MMC, xrefs: 00D14CDE
iSCSI, xrefs: 00D14CC2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab4c1aa8bf8b9d0b8bae861a60d501c85245797fd4c10cf5771249e8c9eab722
Instruction ID: cf3046f2f6decd46c98e552bb49647cd38b523841248264ad7c6775c038771d1
Opcode Fuzzy Hash: ab4c1aa8bf8b9d0b8bae861a60d501c85245797fd4c10cf5771249e8c9eab722
Instruction Fuzzy Hash: B461A370605206FFCB04DF24EA82DE9B7A2EF45744B284015F846AB291DF35DD85EBB1

Function 00D373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D37421
SetTextColor.GDI32(?,?), ref: 00D37425
GetSysColorBrush.USER32(0000000F), ref: 00D3743B
GetSysColor.USER32(0000000F), ref: 00D37446
CreateSolidBrush.GDI32(?), ref: 00D3744B
GetSysColor.USER32(00000011), ref: 00D37463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D37471
SelectObject.GDI32(?,00000000), ref: 00D37482
SetBkColor.GDI32(?,00000000), ref: 00D3748B
SelectObject.GDI32(?,?), ref: 00D37498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D3752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D37554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D37572
DrawFocusRect.USER32(?,?), ref: 00D3757D
GetSysColor.USER32(00000011), ref: 00D3758E
SetTextColor.GDI32(?,00000000), ref: 00D37596
DrawTextW.USER32(?,00D370F5,000000FF,?,00000000), ref: 00D375A8
SelectObject.GDI32(?,?), ref: 00D375BF
DeleteObject.GDI32(?), ref: 00D375CA
SelectObject.GDI32(?,?), ref: 00D375D0
DeleteObject.GDI32(?), ref: 00D375D5
SetTextColor.GDI32(?,?), ref: 00D375DB
SetBkColor.GDI32(?,?), ref: 00D375E5

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 512e854b00e25319bf99b19da4574cf3f80e48223d91918bc62e01e16262cce5
Instruction ID: 1a2f6aa369c1b2c21c825a67a8e66cf15d43ae9a91650506bfc8e01678ff24ea
Opcode Fuzzy Hash: 512e854b00e25319bf99b19da4574cf3f80e48223d91918bc62e01e16262cce5
Instruction Fuzzy Hash: 5A617B72900218AFDF119FA4DC49EEEBFB9EB08360F145115F911FB2A1D775A940DBA0

Function 00D30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D31128
GetDesktopWindow.USER32 ref: 00D3113D
GetWindowRect.USER32(00000000), ref: 00D31144
GetWindowLongW.USER32(?,000000F0), ref: 00D31199
DestroyWindow.USER32(?), ref: 00D311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D3121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D31232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D31245
IsWindowVisible.USER32(00000000), ref: 00D312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D312D0
GetWindowRect.USER32(00000000,?), ref: 00D312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D3130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D31328
CopyRect.USER32(?,?), ref: 00D3133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D313AA

Strings

(, xrefs: 00D3131B
0, xrefs: 00D310D3
tooltips_class32, xrefs: 00D311E6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e65503f23a3f0e75c0f7bd65c2c5c3eb16eec1b63eab33c05dcb043838d4cb51
Instruction ID: 7b2831abb9199ae1f16f374446854edc382511ec9b20591822382afa301eda6a
Opcode Fuzzy Hash: e65503f23a3f0e75c0f7bd65c2c5c3eb16eec1b63eab33c05dcb043838d4cb51
Instruction Fuzzy Hash: 7DB19C75608342AFD714DF64C885BABBBE4FF85354F048918F999AB2A1C731EC44CBA1

Function 00D30241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D302E5
_wcslen.LIBCMT ref: 00D3031F
_wcslen.LIBCMT ref: 00D30389
_wcslen.LIBCMT ref: 00D303F1
_wcslen.LIBCMT ref: 00D30475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D30504

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

Part of subcall function 00D0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D02258
Part of subcall function 00D0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D0228A

Strings

DESELECT, xrefs: 00D3059C
GETSELECTEDCOUNT, xrefs: 00D30470, 00D3048B
SELECTALL, xrefs: 00D30515
SELECT, xrefs: 00D30548
VIEWCHANGE, xrefs: 00D30675
GETITEMCOUNT, xrefs: 00D30316, 00D30337
GETTEXT, xrefs: 00D303EC, 00D30407
SELECTCLEAR, xrefs: 00D3052D
GETSELECTED, xrefs: 00D305E1
SELECTINVERT, xrefs: 00D3057E
ISSELECTED, xrefs: 00D304DD
GETSUBITEMCOUNT, xrefs: 00D30384, 00D3039F
FINDITEM, xrefs: 00D30627

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 7f4ff3d3407302a63b673d97bb06f2daba9ed57d85ee35ca0534c596a082cacc
Instruction ID: c9abcf384ec1ce192a40bc30b822e6076acddc8873ea3639a14d536543170b86
Opcode Fuzzy Hash: 7f4ff3d3407302a63b673d97bb06f2daba9ed57d85ee35ca0534c596a082cacc
Instruction Fuzzy Hash: 80E1B0316183018FC714DF24C86196EBBE6BF88718F18495CF8969B3A6DB30ED45DBA1

Function 00CB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB8968
GetSystemMetrics.USER32(00000007), ref: 00CB8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB899B
GetSystemMetrics.USER32(00000008), ref: 00CB89A3
GetSystemMetrics.USER32(00000004), ref: 00CB89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CB89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CB89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CB8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CB8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CB8A5A
GetStockObject.GDI32(00000011), ref: 00CB8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB8A81

Part of subcall function 00CB912D: GetCursorPos.USER32(?), ref: 00CB9141
Part of subcall function 00CB912D: ScreenToClient.USER32(00000000,?), ref: 00CB915E
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000001), ref: 00CB9183
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000002), ref: 00CB919D

SetTimer.USER32(00000000,00000000,00000028,00CB90FC), ref: 00CB8AA8

Strings

AutoIt v3 GUI, xrefs: 00CB8A20

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 68a5d971526a4ec78fd1c9379befb38ed9d2ebd65cb9a9d4d0d2db171e5b2985
Instruction ID: 27b535cba7f5a7ff6215421739c468d41b5fb08838324bf84fd92f6d65792b69
Opcode Fuzzy Hash: 68a5d971526a4ec78fd1c9379befb38ed9d2ebd65cb9a9d4d0d2db171e5b2985
Instruction Fuzzy Hash: 66B12975A0020AAFDF14DFA8DC45BEA7BB5FB48314F104229FA25E7290DB74A941CF61

Function 00D00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
Part of subcall function 00D010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
Part of subcall function 00D010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
Part of subcall function 00D010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D00DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D00E29
GetLengthSid.ADVAPI32(?), ref: 00D00E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D00E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D00E96
GetLengthSid.ADVAPI32(?), ref: 00D00EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D00EB5
HeapAlloc.KERNEL32(00000000), ref: 00D00EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D00EDD
CopySid.ADVAPI32(00000000), ref: 00D00EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D00F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D00F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D00F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F6E
HeapFree.KERNEL32(00000000), ref: 00D00F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F7E
HeapFree.KERNEL32(00000000), ref: 00D00F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F8E
HeapFree.KERNEL32(00000000), ref: 00D00F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D00FA1
HeapFree.KERNEL32(00000000), ref: 00D00FA8

Part of subcall function 00D01193: GetProcessHeap.KERNEL32(00000008,00D00BB1,?,00000000,?,00D00BB1,?), ref: 00D011A1
Part of subcall function 00D01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D00BB1,?), ref: 00D011A8
Part of subcall function 00D01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D00BB1,?), ref: 00D011B7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c95182ab71e73b8fcc01b93eaba4487b7116bdb9c8cfea53c1609efb7f6a4a6b
Instruction ID: 48366546d2ab9ff08bca0049da70f62e2d6690705594b2aceae1b969c942815a
Opcode Fuzzy Hash: c95182ab71e73b8fcc01b93eaba4487b7116bdb9c8cfea53c1609efb7f6a4a6b
Instruction Fuzzy Hash: 34714A7290430ABBDB209FA4DC49BAEBFB8BF05301F184115FA59F6291D7719905DB70

Function 00D2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D3CC08,00000000,?,00000000,?,?), ref: 00D2C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D2C5A4
_wcslen.LIBCMT ref: 00D2C5F4
_wcslen.LIBCMT ref: 00D2C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D2C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D2C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D2C84D
RegCloseKey.ADVAPI32(?), ref: 00D2C881
RegCloseKey.ADVAPI32(00000000), ref: 00D2C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D2C960

Strings

REG_SZ, xrefs: 00D2C644
REG_QWORD, xrefs: 00D2C8C3
REG_MULTI_SZ, xrefs: 00D2C6F5
REG_BINARY, xrefs: 00D2C913
REG_EXPAND_SZ, xrefs: 00D2C5CD
REG_DWORD, xrefs: 00D2C804

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b51b7ce655ff92800b19062f96a5031ac598568c7fabf00a7809331adfb67238
Instruction ID: f60e4a80d2d100d9503ec0279d1533cce5f8ec37165ee353fb95c8e548f7c0ed
Opcode Fuzzy Hash: b51b7ce655ff92800b19062f96a5031ac598568c7fabf00a7809331adfb67238
Instruction Fuzzy Hash: 4A1279356142119FCB14EF14D891A2AB7E5FF89718F08895CF88A9B3A2DB31FC41DB91

Function 00D3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D309C6
_wcslen.LIBCMT ref: 00D30A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D30A54
_wcslen.LIBCMT ref: 00D30A8A
_wcslen.LIBCMT ref: 00D30B06
_wcslen.LIBCMT ref: 00D30B81

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

Part of subcall function 00D02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D02BFA

Strings

UNCHECK, xrefs: 00D30D3E
CHECK, xrefs: 00D30A85, 00D30AA0
EXISTS, xrefs: 00D30B7C, 00D30B97
COLLAPSE, xrefs: 00D30B01, 00D30B1C
GETTEXT, xrefs: 00D30C97
GETSELECTED, xrefs: 00D30C4E
EXPAND, xrefs: 00D30BF8
SELECT, xrefs: 00D30D11
GETTOTALCOUNT, xrefs: 00D309F2, 00D30A17
GETITEMCOUNT, xrefs: 00D30C1E
ISCHECKED, xrefs: 00D30CE1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: cde3b448369abc69f217fe6d8a58613ea98141d95cfb6c875121535e92a5629d
Instruction ID: 5c926b29db3478624e394e9806271849f93374abb0e078aef82f81053c7181f3
Opcode Fuzzy Hash: cde3b448369abc69f217fe6d8a58613ea98141d95cfb6c875121535e92a5629d
Instruction Fuzzy Hash: 66E1B1316083018FC714DF24C46096ABBE1FF99718F18895CF8969B7A2D731ED45DBA1

Function 00D2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
_wcslen.LIBCMT ref: 00D2C9F1
_wcslen.LIBCMT ref: 00D2CA68
_wcslen.LIBCMT ref: 00D2CA9E
_wcslen.LIBCMT ref: 00D2CAF9
_wcslen.LIBCMT ref: 00D2CB2F
_wcslen.LIBCMT ref: 00D2CB7F

Strings

HKEY_CURRENT_USER, xrefs: 00D2CBBD
HKCU, xrefs: 00D2CBCE
HKEY_CLASSES_ROOT, xrefs: 00D2CAF3, 00D2CAF8
HKEY_LOCAL_MACHINE, xrefs: 00D2CA62, 00D2CA67
HKLM, xrefs: 00D2CA98, 00D2CA9D
HKEY_USERS, xrefs: 00D2CBDF
HKCR, xrefs: 00D2CB29, 00D2CB2E
HKU, xrefs: 00D2CBF0
HKCC, xrefs: 00D2CBAC
HKEY_CURRENT_CONFIG, xrefs: 00D2CB79, 00D2CB7E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5170d8fc2b86666d183d8b5d9a6d72f2c0609f88828009b4034a28c32ab21428
Instruction ID: d991bdd8703270463ce5ecb17be1386107f9208c5a86195212718380490514b0
Opcode Fuzzy Hash: 5170d8fc2b86666d183d8b5d9a6d72f2c0609f88828009b4034a28c32ab21428
Instruction Fuzzy Hash: F171F532A2013A8BCB20DE7CED516BE3395AFB175CF295528F86697284E631CD45D3B0

Function 00D3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3835A
_wcslen.LIBCMT ref: 00D3836E
_wcslen.LIBCMT ref: 00D38391
_wcslen.LIBCMT ref: 00D383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D35BF2), ref: 00D3844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D38487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D38501
FreeLibrary.KERNEL32(?), ref: 00D3850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D3851D
DestroyIcon.USER32(?,?,?,?,?,00D35BF2), ref: 00D3852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D38549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D38555

Strings

.exe, xrefs: 00D38388
.dll, xrefs: 00D383AB
.icl, xrefs: 00D38368

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 2327a2e529bac81f85e6291f0435a3c5f3bbecf463a8ae7369f751591b53df34
Instruction ID: 80373adbc33ff2bf96da3b01d3a4d3c63fa2399457da6bedba7817a695b7681a
Opcode Fuzzy Hash: 2327a2e529bac81f85e6291f0435a3c5f3bbecf463a8ae7369f751591b53df34
Instruction Fuzzy Hash: 5761B072550319BEEB14DF64CC41BBE77A8BB08711F108609F815E61D1DB74A984E7B0

Function 00CA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00CE5279
', xrefs: 00CE5169
#requireadmin, xrefs: 00CA77FF
#comments-end, xrefs: 00CA78D9
#notrayicon, xrefs: 00CA77E7
#include, xrefs: 00CA7847
Bad directive syntax error, xrefs: 00CE519A
#cs, xrefs: 00CA7873, 00CA78C5
#comments-start, xrefs: 00CA785F, 00CA78B1
Unterminated group of comments, xrefs: 00CE528C
#include-once, xrefs: 00CA782F
#pragma compile, xrefs: 00CA77D3
#OnAutoItStartRegister, xrefs: 00CA7817
#ce, xrefs: 00CA78ED
", xrefs: 00CE5153

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7fb846802294f32e4ff18f405d77caa2fc48b44caa66b23580d887d0ef0a21fb
Instruction ID: cfa30fdd2e80b246e89fd29813be2aa041b6656faa1ec8be89cdf2e79000f38a
Opcode Fuzzy Hash: 7fb846802294f32e4ff18f405d77caa2fc48b44caa66b23580d887d0ef0a21fb
Instruction Fuzzy Hash: DD81E771A44606BFDB21AF61DC42FAF37A8BF16304F044128F915EA192EB70DA15E7A1

Function 00D13E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D13EF8
_wcslen.LIBCMT ref: 00D13F03
_wcslen.LIBCMT ref: 00D13F5A
_wcslen.LIBCMT ref: 00D13F98
GetDriveTypeW.KERNEL32(?), ref: 00D13FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D14059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D14087

Strings

close, xrefs: 00D13EFE, 00D13F18
type cdaudio alias cd wait, xrefs: 00D14001
set cd door , xrefs: 00D14028
open, xrefs: 00D13F54, 00D13F59
open , xrefs: 00D13FE5
closed, xrefs: 00D13F08, 00D13F2D, 00D13F46, 00D13F7E, 00D13F97
wait, xrefs: 00D14044
close cd wait, xrefs: 00D14072

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b31ecbf3edb9903e70cda3b048445b7f78f58f70bbd62a29e7bbfe92d5843f70
Instruction ID: d950fbbd711b99c60575374d84fe6309d40ef8a08c399604e92dbd1889bc73f3
Opcode Fuzzy Hash: b31ecbf3edb9903e70cda3b048445b7f78f58f70bbd62a29e7bbfe92d5843f70
Instruction Fuzzy Hash: B671E331604312AFC710EF24D8818AAB7F4EF99758F14492DF89697251EB31DD8ACBA1

Function 00D05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D05A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D05A40
SetWindowTextW.USER32(?,?), ref: 00D05A57
GetDlgItem.USER32(?,000003EA), ref: 00D05A6C
SetWindowTextW.USER32(00000000,?), ref: 00D05A72
GetDlgItem.USER32(?,000003E9), ref: 00D05A82
SetWindowTextW.USER32(00000000,?), ref: 00D05A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D05AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D05AC3
GetWindowRect.USER32(?,?), ref: 00D05ACC
_wcslen.LIBCMT ref: 00D05B33
SetWindowTextW.USER32(?,?), ref: 00D05B6F
GetDesktopWindow.USER32 ref: 00D05B75
GetWindowRect.USER32(00000000), ref: 00D05B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D05BD3
GetClientRect.USER32(?,?), ref: 00D05BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D05C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D05C2F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b136a0cdaa96a3dcac88cf3c7bcc21137aec8408f3070b7d4c790d59efc411e1
Instruction ID: d8314658f5cbf406bbb00f9829ecb2eb0fc2e9d5dc727d58b9e27e5e2abc8aa6
Opcode Fuzzy Hash: b136a0cdaa96a3dcac88cf3c7bcc21137aec8408f3070b7d4c790d59efc411e1
Instruction Fuzzy Hash: 37714A31900B09AFDB20DFA8DD45BAEBBF5EB48704F144518E986A26A4D775E940CF60

Function 00D1FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D1FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00D1FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00D1FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00D1FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00D1FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00D1FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00D1FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00D1FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00D1FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00D1FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00D1FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00D1FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00D1FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00D1FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00D1FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00D1FECC
GetCursorInfo.USER32(?), ref: 00D1FEDC
GetLastError.KERNEL32 ref: 00D1FF1E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bdd5348f3c0cb775a703fba372454c74b783f408e62dc8994332c47ada6a16bc
Instruction ID: 25da7415ac9ec6c08f420e9fb33ed3a61e743dd2e7c92845435c60dd9a6e5434
Opcode Fuzzy Hash: bdd5348f3c0cb775a703fba372454c74b783f408e62dc8994332c47ada6a16bc
Instruction Fuzzy Hash: 394161B0D083196ADB109FBA9C8985EBFE8FF04354B54452AE119E7291DB78A941CFA0

Function 00CC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CC00C6

Part of subcall function 00CC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D7070C,00000FA0,7362E3BB,?,?,?,?,00CE23B3,000000FF), ref: 00CC011C
Part of subcall function 00CC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CE23B3,000000FF), ref: 00CC0127
Part of subcall function 00CC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CE23B3,000000FF), ref: 00CC0138
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CC014E
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CC015C
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CC016A
Part of subcall function 00CC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CC0195
Part of subcall function 00CC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CC01A0

___scrt_fastfail.LIBCMT ref: 00CC00E7

Part of subcall function 00CC00A3: __onexit.LIBCMT ref: 00CC00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CC0122
SleepConditionVariableCS, xrefs: 00CC0154
WakeAllConditionVariable, xrefs: 00CC0162
InitializeConditionVariable, xrefs: 00CC0148
kernel32.dll, xrefs: 00CC0133

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: dd8176a3b03b03b9520452313d437de1398a12d5dfdbe32d9b5199271203e925
Instruction ID: fde1d35d1f610a9ce317e4e1f896199d0f9f58162f3df752ce00edff3bfa26f9
Opcode Fuzzy Hash: dd8176a3b03b03b9520452313d437de1398a12d5dfdbe32d9b5199271203e925
Instruction Fuzzy Hash: FD21F632A44710EFE7115BA4EC0AF6EB7A8DB04B61F24013DF815E23D1DBB09C009AB0

Function 00D030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0318D
_wcslen.LIBCMT ref: 00D031F8

Strings

INSTANCE, xrefs: 00D03453
CLASS, xrefs: 00D03188, 00D031A5
REGEXPCLASS, xrefs: 00D03255, 00D03266
NAME, xrefs: 00D03335, 00D03346
CLASSNN, xrefs: 00D031F3, 00D03204
TEXT, xrefs: 00D0347C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1885009204d523bf15ea5159c2df0ce8bf4d0c2f0ee3a6596fa21bb838b88734
Instruction ID: d409a885a5b9411ad61e7e5b6b437338b94dd0e25a2ad8f3a943beba4f715d6a
Opcode Fuzzy Hash: 1885009204d523bf15ea5159c2df0ce8bf4d0c2f0ee3a6596fa21bb838b88734
Instruction Fuzzy Hash: D5E1B631A00616AFCB18DF78C855BEDBBB8BF54710F588119E45AB7290DB30AE85D7B0

Function 00D144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D3CC08), ref: 00D14527
_wcslen.LIBCMT ref: 00D1453B
_wcslen.LIBCMT ref: 00D14599
_wcslen.LIBCMT ref: 00D145F4
_wcslen.LIBCMT ref: 00D1463F
_wcslen.LIBCMT ref: 00D146A7

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

GetDriveTypeW.KERNEL32(?,00D66BF0,00000061), ref: 00D14743

Strings

removable, xrefs: 00D145EA, 00D145EF
fixed, xrefs: 00D14635, 00D1463A
network, xrefs: 00D1469D, 00D146A2
unknown, xrefs: 00D14708
all, xrefs: 00D14531, 00D14536
cdrom, xrefs: 00D1458F, 00D14594
ramdisk, xrefs: 00D146F1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 34eb5d7008fd30efd1838240acdae798a70631451db4ca2b099748243653939a
Instruction ID: 221aaffe8fd132560dcf6fc61617fd8ed99be1367127ec12c7009272d09dab0a
Opcode Fuzzy Hash: 34eb5d7008fd30efd1838240acdae798a70631451db4ca2b099748243653939a
Instruction Fuzzy Hash: 96B1E571608302AFC710DF28E890AAEB7E5BF96764F54891DF496C7291DB30D885C7B2

Function 00D2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B1D4
_wcslen.LIBCMT ref: 00D2B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B236
_wcslen.LIBCMT ref: 00D2B332

Part of subcall function 00D105A7: GetStdHandle.KERNEL32(000000F6), ref: 00D105C6

_wcslen.LIBCMT ref: 00D2B34B
_wcslen.LIBCMT ref: 00D2B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D2B3B6
GetLastError.KERNEL32(00000000), ref: 00D2B407
CloseHandle.KERNEL32(?), ref: 00D2B439
CloseHandle.KERNEL32(00000000), ref: 00D2B44A
CloseHandle.KERNEL32(00000000), ref: 00D2B45C
CloseHandle.KERNEL32(00000000), ref: 00D2B46E
CloseHandle.KERNEL32(?), ref: 00D2B4E3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a0e1326d5b2c20929dd79824d18d7d3258f114d1a185811448a2bab8ebb9929d
Instruction ID: 46dc00a78bccf2dfd4424939369b9c840b04c59a9468470192deb6de4e13d63e
Opcode Fuzzy Hash: a0e1326d5b2c20929dd79824d18d7d3258f114d1a185811448a2bab8ebb9929d
Instruction Fuzzy Hash: E4F1BD315043119FC714EF24D891B6EBBE5BF85328F18855EF8959B2A2CB71EC41CB62

Function 00D23FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D3CC08), ref: 00D240BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D240CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D3CC08), ref: 00D240F2
FreeLibrary.KERNEL32(00000000,?,00D3CC08), ref: 00D2413E
StringFromGUID2.OLE32(?,?,00000028,?,00D3CC08), ref: 00D241A8
SysFreeString.OLEAUT32(00000009), ref: 00D24262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D242C8
SysFreeString.OLEAUT32(?), ref: 00D242F2

Strings

GetModuleHandleExW, xrefs: 00D240C7
kernel32.dll, xrefs: 00D240B6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 3e6702e2ff79f49c07d5669833f236e8d08fc6dbcdd7f9eb13faad8ddb46466a
Instruction ID: 60aa802e540208322c98a36bdf403fc18ba0cdc5e5657949708471fd546dc758
Opcode Fuzzy Hash: 3e6702e2ff79f49c07d5669833f236e8d08fc6dbcdd7f9eb13faad8ddb46466a
Instruction Fuzzy Hash: 36127E75A00225EFDB14DF94D884EAEBBB5FF55318F288098F905AB251C771ED42CBA0

Function 00CA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D71990), ref: 00CE2F8D
GetMenuItemCount.USER32(00D71990), ref: 00CE303D
GetCursorPos.USER32(?), ref: 00CE3081
SetForegroundWindow.USER32(00000000), ref: 00CE308A
TrackPopupMenuEx.USER32(00D71990,00000000,?,00000000,00000000,00000000), ref: 00CE309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CE30A9

Strings

0, xrefs: 00CA327D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 18bfd1c35ae9b3105879b6746b2e8b85bef1fcc08e8600de6cd34d945e8fca7d
Instruction ID: ccda7e0bb27ee6fa82106a336eda3367176bb6b20cf6ac65833d6e76b09c4b76
Opcode Fuzzy Hash: 18bfd1c35ae9b3105879b6746b2e8b85bef1fcc08e8600de6cd34d945e8fca7d
Instruction Fuzzy Hash: DF713A31644296BEFB218F66CC49F9ABF68FF01324F244206F524AA1E1C7B1AE50D760

Function 00D36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D36DEB

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D36E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D36E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D36E94
DestroyWindow.USER32(?), ref: 00D36EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CA0000,00000000), ref: 00D36EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D36EFD
GetDesktopWindow.USER32 ref: 00D36F16
GetWindowRect.USER32(00000000), ref: 00D36F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D36F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D36F4D

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

Strings

0, xrefs: 00D36D98
tooltips_class32, xrefs: 00D36E58, 00D36EDD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d7e3c8fea6d08ccf949d11254cbf30784a779aaeec1b4f93ba81b416fdb80cf0
Instruction ID: e71a162091a229cd13980a223d2928935d4862fbe79a8c609cd2315231552225
Opcode Fuzzy Hash: d7e3c8fea6d08ccf949d11254cbf30784a779aaeec1b4f93ba81b416fdb80cf0
Instruction Fuzzy Hash: 6D716574104345AFDB21CF18D844BAABBE9FF89304F08891DFA99D7261D770E94ADB21

Function 00D3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D39147

Part of subcall function 00D37674: ClientToScreen.USER32(?,?), ref: 00D3769A
Part of subcall function 00D37674: GetWindowRect.USER32(?,?), ref: 00D37710
Part of subcall function 00D37674: PtInRect.USER32(?,?,00D38B89), ref: 00D37720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D39225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D3923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D39255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D39277
DragFinish.SHELL32(?), ref: 00D3927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D39371

Strings

@GUI_DRAGFILE, xrefs: 00D39320
@GUI_DROPID, xrefs: 00D3929E
@GUI_DRAGID, xrefs: 00D392E9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: b66e8653aeffa4f4a973f881a2ad9cf14bb97ea18a85d7760ac18dfac98dfc7b
Instruction ID: 1671d3ddfaeb6571626d8f4720e3d99339745db1ef9c7ea9f290c2e820b46cee
Opcode Fuzzy Hash: b66e8653aeffa4f4a973f881a2ad9cf14bb97ea18a85d7760ac18dfac98dfc7b
Instruction Fuzzy Hash: 7B617C71108301AFC701EF64DC85DAFBBE8EF89754F400A1EF595932A1DB70AA49CB62

Function 00D1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D1C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D1C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D1C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D1C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D1C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D1C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D1C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D1C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D1C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D1C5F0
InternetCloseHandle.WININET(00000000), ref: 00D1C5FB

Strings

, xrefs: 00D1C575

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f332af82a9db512e2624588e08802540656052b813ed23972a9b727a85748470
Instruction ID: 940f1c7540467d7382e2b742b9556be814cf3a737c09e071be3feb3d51922dd9
Opcode Fuzzy Hash: f332af82a9db512e2624588e08802540656052b813ed23972a9b727a85748470
Instruction Fuzzy Hash: 5C5139B1550308BFEB218FA4D988ABB7BBDFF08754F046419F945E6210EB34E9849B70

Function 00D3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00D38592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385BA
GlobalLock.KERNEL32(00000000), ref: 00D385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385D7
GlobalUnlock.KERNEL32(00000000), ref: 00D385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00D3FC38,?), ref: 00D38611
GlobalFree.KERNEL32(00000000), ref: 00D38621
GetObjectW.GDI32(?,00000018,?), ref: 00D38641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D38671
DeleteObject.GDI32(?), ref: 00D38699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D386AF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e22736b21b7cae7145e53d9fc6b045884679b13684a7196a95b179e2355ffed9
Instruction ID: a40dd1d74b4fc8dcde1023d1679a79d38bcd8b580ce9f08c8cef4d0c0425b42a
Opcode Fuzzy Hash: e22736b21b7cae7145e53d9fc6b045884679b13684a7196a95b179e2355ffed9
Instruction Fuzzy Hash: 2E41F875610308AFDB119FA5DC89EAB7BB8FF89B11F148058F906E7260DB709901DB70

Function 00D114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D11502
VariantCopy.OLEAUT32(?,?), ref: 00D1150B
VariantClear.OLEAUT32(?), ref: 00D11517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D11657
VariantInit.OLEAUT32(?), ref: 00D11708
SysFreeString.OLEAUT32(?), ref: 00D1178C
VariantClear.OLEAUT32(?), ref: 00D117D8
VariantClear.OLEAUT32(?), ref: 00D117E7
VariantInit.OLEAUT32(00000000), ref: 00D11823

Strings

Default, xrefs: 00D116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00D11625

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 09a9993c9c0b2cccda1323929f721e8da961661883e3518fdea2d85ac80daae4
Instruction ID: c3dadcc3d7f2e9ccd4c87ba5f62a7f5dc0124d6375d8be9d0007eab191f180c7
Opcode Fuzzy Hash: 09a9993c9c0b2cccda1323929f721e8da961661883e3518fdea2d85ac80daae4
Instruction Fuzzy Hash: 37D11235600615EBEB109F64E885BFDB7B6BF45700F148459E686AB280DF30EC85EB72

Function 00D2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D2B80A
RegCloseKey.ADVAPI32(?), ref: 00D2B87E
RegCloseKey.ADVAPI32(?), ref: 00D2B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D2B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D2B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D2B922
FreeLibrary.KERNEL32(00000000), ref: 00D2B983
RegCloseKey.ADVAPI32(00000000), ref: 00D2B994

Strings

RegDeleteKeyExW, xrefs: 00D2B8FE
advapi32.dll, xrefs: 00D2B8ED

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: da5d0491b31cf6a5cdc5583c4dbe8cf7b0dd54e01d80baa418d4b5c2761bd953
Instruction ID: bc22ff7871be43ad9630e35b017401a877c4d83c9fd33a2339c6c1d8819a4725
Opcode Fuzzy Hash: da5d0491b31cf6a5cdc5583c4dbe8cf7b0dd54e01d80baa418d4b5c2761bd953
Instruction Fuzzy Hash: 53C1AC30208212AFD714DF24D495F2ABBE1FF95318F18845DE49A8B2A2CB71EC45DBA1

Function 00D2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D225E8
CreateCompatibleDC.GDI32(?), ref: 00D225F4
SelectObject.GDI32(00000000,?), ref: 00D22601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D2266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D226D0
SelectObject.GDI32(?,?), ref: 00D226D8
DeleteObject.GDI32(?), ref: 00D226E1
DeleteDC.GDI32(?), ref: 00D226E8
ReleaseDC.USER32(00000000,?), ref: 00D226F3

Strings

(, xrefs: 00D2268D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 773e76fd38a35ad33753dff008c8e25439f381d90abc4195fba2e724cf28ed6a
Instruction ID: 1ba8000686d7f4ff778d514136c2c28d88c18fd0f8a39526703281d3503894a6
Opcode Fuzzy Hash: 773e76fd38a35ad33753dff008c8e25439f381d90abc4195fba2e724cf28ed6a
Instruction Fuzzy Hash: E261F176D00219EFCF14CFA8D884AAEBBB6FF48310F208529E955A7350D770A941DFA0

Function 00CDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CDDAA1

Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD659
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD66B
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD67D
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD68F
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6A1
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6B3
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6C5
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6D7
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6E9
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6FB
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD70D
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD71F
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD731

_free.LIBCMT ref: 00CDDA96

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDDAB8
_free.LIBCMT ref: 00CDDACD
_free.LIBCMT ref: 00CDDAD8
_free.LIBCMT ref: 00CDDAFA
_free.LIBCMT ref: 00CDDB0D
_free.LIBCMT ref: 00CDDB1B
_free.LIBCMT ref: 00CDDB26
_free.LIBCMT ref: 00CDDB5E
_free.LIBCMT ref: 00CDDB65
_free.LIBCMT ref: 00CDDB82
_free.LIBCMT ref: 00CDDB9A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: dd6731532c12c81b4af2ce8022cba73fbedebb5e0d48e8a0eef06c1ab5ca8373
Instruction ID: 3391ffcc548399693e0afd159a4d7ee267c3f8b4340c564c4755e94fb6436180
Opcode Fuzzy Hash: dd6731532c12c81b4af2ce8022cba73fbedebb5e0d48e8a0eef06c1ab5ca8373
Instruction Fuzzy Hash: D6314D31A04705AFEB21AA39E845B56B7E9FF10314F15441BF66AD7391DF31ED80A720

Function 00D0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D0369C
_wcslen.LIBCMT ref: 00D036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D03797
GetClassNameW.USER32(?,?,00000400), ref: 00D0380C
GetDlgCtrlID.USER32(?), ref: 00D0385D
GetWindowRect.USER32(?,?), ref: 00D03882
GetParent.USER32(?), ref: 00D038A0
ScreenToClient.USER32(00000000), ref: 00D038A7
GetClassNameW.USER32(?,?,00000100), ref: 00D03921
GetWindowTextW.USER32(?,?,00000400), ref: 00D0395D

Strings

%s%u, xrefs: 00D03734

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c189f15416d20a382ee0c0a9af4c6f37ae5129e39ecdbb5356890d2dbdcadf3b
Instruction ID: 48660c12341ea7d92af5bf93798a0a462bcded79d2eee085f79f62a86fb5f6f3
Opcode Fuzzy Hash: c189f15416d20a382ee0c0a9af4c6f37ae5129e39ecdbb5356890d2dbdcadf3b
Instruction Fuzzy Hash: D9918B71204706AFD719DF24D885FAAB7ACFF48350F448629F999D2190DB30EA45CBA1

Function 00D04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D04994
GetWindowTextW.USER32(?,?,00000400), ref: 00D049DA
_wcslen.LIBCMT ref: 00D049EB
CharUpperBuffW.USER32(?,00000000), ref: 00D049F7
_wcsstr.LIBVCRUNTIME ref: 00D04A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D04A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D04A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D04AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D04B20
GetWindowRect.USER32(?,?), ref: 00D04B8B

Strings

ThumbnailClass, xrefs: 00D04A6F, 00D04AF1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0fddbf5c599f5b55df3c9b033edcb2b6f3008f062db75d8e88f7f95696d311c7
Instruction ID: 3a37b2a8794b643f17f9e50291b6fc7faff372ba965a7ac0c1bb30697522b960
Opcode Fuzzy Hash: 0fddbf5c599f5b55df3c9b033edcb2b6f3008f062db75d8e88f7f95696d311c7
Instruction Fuzzy Hash: 80918AB21043059BDB14DF14C985FAAB7E8EF84354F088469FE899A1D6EB30ED45CBB1

Function 00D38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D38D5A
GetFocus.USER32 ref: 00D38D6A
GetDlgCtrlID.USER32(00000000), ref: 00D38D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D38E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D38ECF
GetMenuItemCount.USER32(?), ref: 00D38EEC
GetMenuItemID.USER32(?,00000000), ref: 00D38EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D38F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D38F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D38FA1

Strings

0, xrefs: 00D38E9F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: be3dbf4517b8434fc0b4b265006f8f8755acb418df71039c04847a553584ca6a
Instruction ID: cf074824aa9b9be1e5f6ab47945a49a7ceb48e004585dcd852f7e5fe8e548c06
Opcode Fuzzy Hash: be3dbf4517b8434fc0b4b265006f8f8755acb418df71039c04847a553584ca6a
Instruction Fuzzy Hash: F7818C71508301AFD720DF24D884AABBBE9FF88354F180A19F995E7291DB71D901EBB1

Function 00D0BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D71990,000000FF,00000000,00000030), ref: 00D0BFAC
SetMenuItemInfoW.USER32(00D71990,00000004,00000000,00000030), ref: 00D0BFE1
Sleep.KERNEL32(000001F4), ref: 00D0BFF3
GetMenuItemCount.USER32(?), ref: 00D0C039
GetMenuItemID.USER32(?,00000000), ref: 00D0C056
GetMenuItemID.USER32(?,-00000001), ref: 00D0C082
GetMenuItemID.USER32(?,?), ref: 00D0C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D0C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D0C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D0C145

Strings

0, xrefs: 00D0BF3D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 767f0ed192e136d4a00d592a8740039f2827a0c0bb902eece52135e3b9b5b091
Instruction ID: 62ce079e65b50db7fd9be691fa99d6d1e1009db0403947e620164961528f6408
Opcode Fuzzy Hash: 767f0ed192e136d4a00d592a8740039f2827a0c0bb902eece52135e3b9b5b091
Instruction Fuzzy Hash: 65617CB092034AAFDB11CF68CC88BAEBBB8EB05354F041215E849A32D1D771AD45CB71

Function 00D0DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D0DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D0DC46
_wcslen.LIBCMT ref: 00D0DC50
_wcsstr.LIBVCRUNTIME ref: 00D0DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D0DCBC

Strings

%u.%u.%u.%u, xrefs: 00D0DD9A
\VarFileInfo\Translation, xrefs: 00D0DCB4
StringFileInfo\, xrefs: 00D0DC8F
DefaultLangCodepage, xrefs: 00D0DD1F
04090000, xrefs: 00D0DCF2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3ba505856f3bd6c96927b34ee7336464937e193833413db7c045e08f8c853717
Instruction ID: 28547e41a7248da5470c6702ce9d90955411281e3e0da9cee242da1a29258c91
Opcode Fuzzy Hash: 3ba505856f3bd6c96927b34ee7336464937e193833413db7c045e08f8c853717
Instruction Fuzzy Hash: 8E41DD72A403017AEB14A7B4DC47FBF77ACEF56710F14006AF904A62C2EA70DA01A7B4

Function 00D2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D2CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D2CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D2CD48

Part of subcall function 00D2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D2CCAA
Part of subcall function 00D2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D2CCBD
Part of subcall function 00D2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D2CCCF
Part of subcall function 00D2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D2CD05
Part of subcall function 00D2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D2CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D2CCF3

Strings

RegDeleteKeyExW, xrefs: 00D2CCC9
advapi32.dll, xrefs: 00D2CCB8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 786015e420513302bc408ac20e04b014df72e423c0c411adffb44d5425c1240b
Instruction ID: 2de7f78c83ee8677653588e72d810b69fe16008ffac16aa85ee1c9c5bde080ef
Opcode Fuzzy Hash: 786015e420513302bc408ac20e04b014df72e423c0c411adffb44d5425c1240b
Instruction Fuzzy Hash: 45318E76911228BBDB208B61EC88EFFBB7CEF15744F041165A905E3240DA749E45EBB0

Function 00D13D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D13D40
_wcslen.LIBCMT ref: 00D13D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D13D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D13DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D13DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D13E55
CloseHandle.KERNEL32(00000000), ref: 00D13E60
CloseHandle.KERNEL32(00000000), ref: 00D13E6B

Strings

:, xrefs: 00D13D82
\??\%s, xrefs: 00D13D5B
\, xrefs: 00D13D77

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: bd8c5c6d570b634c5c8f07d6f5c37a9fb0be97be2ef675577eab2eda6a806bb8
Instruction ID: 7ebf4c18410ca2f9e113991ad4b153150ea99aa46712cf02305ddafcf0efad58
Opcode Fuzzy Hash: bd8c5c6d570b634c5c8f07d6f5c37a9fb0be97be2ef675577eab2eda6a806bb8
Instruction Fuzzy Hash: 1C31A176910209ABDB209BA0EC49FEF37BCEF88700F1441B9F505E61A0EB7497848B74

Function 00D0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D0E6B4

Part of subcall function 00CBE551: timeGetTime.WINMM(?,?,00D0E6D4), ref: 00CBE555

Sleep.KERNEL32(0000000A), ref: 00D0E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D0E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D0E727
SetActiveWindow.USER32 ref: 00D0E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D0E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D0E773
Sleep.KERNEL32(000000FA), ref: 00D0E77E
IsWindow.USER32 ref: 00D0E78A
EndDialog.USER32(00000000), ref: 00D0E79B

Strings

BUTTON, xrefs: 00D0E719

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 89a976dc9143a353d544e9edab0e40fc9ba0c9185e250aae8f42de09b9c78290
Instruction ID: 76ebee6333d3adeb6773868d8cdb5ad804ce65cba2feb4f9268f56cabad086fd
Opcode Fuzzy Hash: 89a976dc9143a353d544e9edab0e40fc9ba0c9185e250aae8f42de09b9c78290
Instruction Fuzzy Hash: 55216FB0210344AFEB006F65EC8AB393B69E794749F541825F50ED13F1EB71AC409B34

Function 00D0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D0EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D0EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D0EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D0EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D0EAA7

Strings

play PlayMe, xrefs: 00D0EAA2
open , xrefs: 00D0EA0C
alias PlayMe, xrefs: 00D0EA36
status PlayMe mode, xrefs: 00D0EA58
close PlayMe, xrefs: 00D0EA6E, 00D0EA9B
play PlayMe wait, xrefs: 00D0EA91

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 0155baedd0ce98656e941c85e20cc7eb6a7b91854d9280c3afe6912441371f0a
Instruction ID: d90bb80301aa0cb6218e8d344da907bbd82c2dbe02d09a77e4a81e100cda80c4
Opcode Fuzzy Hash: 0155baedd0ce98656e941c85e20cc7eb6a7b91854d9280c3afe6912441371f0a
Instruction Fuzzy Hash: 26117731B902597ED710A762DC4AEFF6B7CEBD6B44F04082AB805A20D1EFB04D09C9B0

Function 00D09F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D0A012
SetKeyboardState.USER32(?), ref: 00D0A07D
GetAsyncKeyState.USER32(000000A0), ref: 00D0A09D
GetKeyState.USER32(000000A0), ref: 00D0A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00D0A0E3
GetKeyState.USER32(000000A1), ref: 00D0A0F4
GetAsyncKeyState.USER32(00000011), ref: 00D0A120
GetKeyState.USER32(00000011), ref: 00D0A12E
GetAsyncKeyState.USER32(00000012), ref: 00D0A157
GetKeyState.USER32(00000012), ref: 00D0A165
GetAsyncKeyState.USER32(0000005B), ref: 00D0A18E
GetKeyState.USER32(0000005B), ref: 00D0A19C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b35aa5caec591aaada5a7f5adba381fb7f227aed0a56d8625fcdb2d111c71507
Instruction ID: e67505888f4b62f70ac074c275d9d04160a388c534fd7652c4081c8201b65f65
Opcode Fuzzy Hash: b35aa5caec591aaada5a7f5adba381fb7f227aed0a56d8625fcdb2d111c71507
Instruction Fuzzy Hash: 0851A53090478829FB35DB7489117EABFB59F12380F0C859AD5CA5B1C3DA94AA4CC773

Function 00D05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D05CE2
GetWindowRect.USER32(00000000,?), ref: 00D05CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D05D59
GetDlgItem.USER32(?,00000002), ref: 00D05D69
GetWindowRect.USER32(00000000,?), ref: 00D05D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D05DCF
GetDlgItem.USER32(?,000003E9), ref: 00D05DDD
GetWindowRect.USER32(00000000,?), ref: 00D05DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D05E31
GetDlgItem.USER32(?,000003EA), ref: 00D05E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D05E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D05E67

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f4eec89ef350484919bc692bfa2318abd57f694373f902c7233c6caf09b34371
Instruction ID: 465d87c4009b582628dec39f5b57ad86c8075314dca66a6c3334c62878ef157d
Opcode Fuzzy Hash: f4eec89ef350484919bc692bfa2318abd57f694373f902c7233c6caf09b34371
Instruction Fuzzy Hash: FA51FCB1A10715AFDB18CF68DD89BAEBBB5EB48300F149129F919E7294D7709E04CF60

Function 00CB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CB8BE8,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8FC5

DestroyWindow.USER32(?), ref: 00CB8C81
KillTimer.USER32(00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CF6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CF69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CF69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000), ref: 00CF69D4
DeleteObject.GDI32(00000000), ref: 00CF69E6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 22ee5d5c48cc25624b71506e595532fc47157bf5d994e3a1c59ff2caca0c14e3
Instruction ID: 761f0040b377e08809a2fcdf57fc1c61f057cfac240b726fc6e3e58734c14270
Opcode Fuzzy Hash: 22ee5d5c48cc25624b71506e595532fc47157bf5d994e3a1c59ff2caca0c14e3
Instruction Fuzzy Hash: 1861DC75102705DFCB258F28C948BB57BF5FB04312F144618E2669B6A0CB71AEC5EFA1

Function 00CB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

GetSysColor.USER32(0000000F), ref: 00CB9862

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 687f79a1a4f7c9e6973fed6b7daa3ed6e5a958516e8f0735b7344efa278f91e4
Instruction ID: 0e47c3c06878a4c824c67f028d5299e40de8cda3955cbb255db9264bc831aaff
Opcode Fuzzy Hash: 687f79a1a4f7c9e6973fed6b7daa3ed6e5a958516e8f0735b7344efa278f91e4
Instruction Fuzzy Hash: F0417B31504744AFDB215B389C88BB93BA5EB06320F145619EAB69B2E1D7329942EB21

Function 00D096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D09717
LoadStringW.USER32(00000000,?,00CEF7F8,00000001), ref: 00D09720

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D09742
LoadStringW.USER32(00000000,?,00CEF7F8,00000001), ref: 00D09745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D09866

Strings

Line %d:, xrefs: 00D097A0
^ ERROR, xrefs: 00D097FB
%s (%d) : ==> %s: %s %s, xrefs: 00D0984A
Error: , xrefs: 00D0981D
Line %d (File "%s"):, xrefs: 00D0978F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4a916c4ee1a614b33956ca6024c6cbfa33d4a2e63b10329c09b5f63d4c0ffa0d
Instruction ID: d2adefb47e0059913f3a0af79967a7d52831bb551ff8a09fb69a15a616084ec9
Opcode Fuzzy Hash: 4a916c4ee1a614b33956ca6024c6cbfa33d4a2e63b10329c09b5f63d4c0ffa0d
Instruction Fuzzy Hash: FC413A7280421AAACF04EBE0DD96EEEB778EF56344F104025F505B21A2EB356F49DB71

Function 00D33F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D3403B
CreateCompatibleDC.GDI32(00000000), ref: 00D34042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D34055
SelectObject.GDI32(00000000,00000000), ref: 00D3405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D34068
DeleteDC.GDI32(00000000), ref: 00D34072
GetWindowLongW.USER32(?,000000EC), ref: 00D3407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D34092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D3409E

Strings

static, xrefs: 00D33FD3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 07ab0b655487fbfc307ed30c6edc077b76aff846cc8e62c1c5709555f83f9a78
Instruction ID: 332692872bace074cb46d7bd502f99b018bb1e89a4b10f9bfd08436e386a7c3b
Opcode Fuzzy Hash: 07ab0b655487fbfc307ed30c6edc077b76aff846cc8e62c1c5709555f83f9a78
Instruction Fuzzy Hash: 29317A32111215ABDF219FA4CC09FDA3B68EF0D320F051210FA18E61A0C735D860EBB0

Function 00D23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D23C5C
CoInitialize.OLE32(00000000), ref: 00D23C8A
CoUninitialize.OLE32 ref: 00D23C94
_wcslen.LIBCMT ref: 00D23D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D23DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D23ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D23F0E
CoGetObject.OLE32(?,00000000,00D3FB98,?), ref: 00D23F2D
SetErrorMode.KERNEL32(00000000), ref: 00D23F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D23FC4
VariantClear.OLEAUT32(?), ref: 00D23FD8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: ddcc5ef78c7fd59c937aebfcb5f4e68c6b0eae3d510c6de0ab943fc6fd90d5bc
Instruction ID: 970f68a6ca11f1229a70018133e95470c6733876e1be53089ce5f8429712bb19
Opcode Fuzzy Hash: ddcc5ef78c7fd59c937aebfcb5f4e68c6b0eae3d510c6de0ab943fc6fd90d5bc
Instruction Fuzzy Hash: E6C14471608315AFC700DF68D88492BBBE9FF99748F04495DF98A9B210D735EE05CB62

Function 00D17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D17AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D17B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D17BA3
CoCreateInstance.OLE32(00D3FD08,00000000,00000001,00D66E6C,?), ref: 00D17BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D17C74
CoTaskMemFree.OLE32(?,?), ref: 00D17CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D17D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D17D7A
CoTaskMemFree.OLE32(00000000), ref: 00D17D81
CoTaskMemFree.OLE32(00000000), ref: 00D17DD6
CoUninitialize.OLE32 ref: 00D17DDC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 43f593d8aa942f011e1fdf4e05ba1c7b006099bb5d7850a6074b3696a4852f3f
Instruction ID: af2565c1fe30a6c7b5a2e406ea2689bd38f6dce068c8e8197fb8ad021e922934
Opcode Fuzzy Hash: 43f593d8aa942f011e1fdf4e05ba1c7b006099bb5d7850a6074b3696a4852f3f
Instruction Fuzzy Hash: 95C10A75A04209AFCB14DFA4D884DAEBBF5FF48314B148499E516DB361DB30EE85CBA0

Function 00D3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D35504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D35515
CharNextW.USER32(00000158), ref: 00D35544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D35585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D3559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D355AC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5ac4af71d97416a6c132c8255c4cd284bd17cfc6faf810a5b266b90db8f936f2
Instruction ID: 72320c77fa266fa27b0357ca1e9e9371820145a8c8ea4d132eac455f4572114c
Opcode Fuzzy Hash: 5ac4af71d97416a6c132c8255c4cd284bd17cfc6faf810a5b266b90db8f936f2
Instruction Fuzzy Hash: EF619B75900608EFDF10CF94EC85AFE7BB9EB0A320F148155F965AB2A4D7709A80DB70

Function 00CFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CFFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CFFB08
VariantInit.OLEAUT32(?), ref: 00CFFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CFFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CFFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CFFBA1
VariantClear.OLEAUT32(?), ref: 00CFFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CFFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CFFBCC
VariantClear.OLEAUT32(?), ref: 00CFFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CFFBE9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a2598741ca4a011104574fc29859c7926ef447d58185d06e9a314533ea1284a5
Instruction ID: ed1f858ebcc4b49b22275ccf6498c6e8de1140f1be4f7a6c5a3af1ea3ed9aff1
Opcode Fuzzy Hash: a2598741ca4a011104574fc29859c7926ef447d58185d06e9a314533ea1284a5
Instruction Fuzzy Hash: 28412035A0021D9FCB10DFA4D8549FEBBB9EF48354F008069E955E7361DB30A946DBA1

Function 00D09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D09CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D09D22
GetKeyState.USER32(000000A0), ref: 00D09D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D09D57
GetKeyState.USER32(000000A1), ref: 00D09D6C
GetAsyncKeyState.USER32(00000011), ref: 00D09D84
GetKeyState.USER32(00000011), ref: 00D09D96
GetAsyncKeyState.USER32(00000012), ref: 00D09DAE
GetKeyState.USER32(00000012), ref: 00D09DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D09DD8
GetKeyState.USER32(0000005B), ref: 00D09DEA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8470b94497d9da61ddc0451c1409fcaab9668525f410ee01a01752b7be440b50
Instruction ID: 13ba441eb4f1c1b7965baad346f858eb9f0614d61f665dc165530e12161c3a8b
Opcode Fuzzy Hash: 8470b94497d9da61ddc0451c1409fcaab9668525f410ee01a01752b7be440b50
Instruction Fuzzy Hash: 0A4196349447C969FF319764C8243B5FEA06B51344F0C805ADACA566C3EBA59DC8C7B2

Function 00D2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D205BC
inet_addr.WSOCK32(?), ref: 00D2061C
gethostbyname.WSOCK32(?), ref: 00D20628
IcmpCreateFile.IPHLPAPI ref: 00D20636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D207B9
WSACleanup.WSOCK32 ref: 00D207BF

Strings

Ping, xrefs: 00D20676

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b48e211d2dde10cb24ad33840017c3af802c34cfba4dac8b0cd47e71175346b2
Instruction ID: 8ac7d59377c31ad2aff0e339b07f9f7a2d0f42b2b179f811984d4aa47148881b
Opcode Fuzzy Hash: b48e211d2dde10cb24ad33840017c3af802c34cfba4dac8b0cd47e71175346b2
Instruction Fuzzy Hash: 10917A756083119FD320DF15D889F1ABBE0AF54318F1885A9E4A99B7A3C730ED45CFA1

Function 00D28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D28CF3

Part of subcall function 00D08E54: _wcslen.LIBCMT ref: 00D08E77

_wcslen.LIBCMT ref: 00D28D4E
_wcslen.LIBCMT ref: 00D28D9C
_wcslen.LIBCMT ref: 00D28DDC
_wcslen.LIBCMT ref: 00D28E6E

Strings

winapi, xrefs: 00D28D96, 00D28D9B
cdecl, xrefs: 00D28D48, 00D28D4D
stdcall, xrefs: 00D28DD6, 00D28DDB
none, xrefs: 00D28E65, 00D28E6A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d1045b417f3a603548cc64522e61d18d6cee3bce4734fee67f64e0a337f9c0da
Instruction ID: f34fdba10b3b163cd9122447bf491874f8b4787da17cd7bff6046d6157645470
Opcode Fuzzy Hash: d1045b417f3a603548cc64522e61d18d6cee3bce4734fee67f64e0a337f9c0da
Instruction Fuzzy Hash: 3D51C331A051269BCB14DF68D8409BEB3A5BF75328B294229F466E72C4DB32DD44E7A0

Function 00D2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D23774
CoUninitialize.OLE32 ref: 00D2377F
CoCreateInstance.OLE32(?,00000000,00000017,00D3FB78,?), ref: 00D237D9
IIDFromString.OLE32(?,?), ref: 00D2384C
VariantInit.OLEAUT32(?), ref: 00D238E4
VariantClear.OLEAUT32(?), ref: 00D23936

Strings

Failed to create object, xrefs: 00D237E4, 00D2389A
Invalid parameter, xrefs: 00D23865
NULL Pointer assignment, xrefs: 00D2381E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0cd23cb9de80bafee751b443558c84f6b31633c97a2983d89adc185a240431a0
Instruction ID: ce3bf49ae009b0ed66929dfa9d49e8edffe2867010b3a33919931d782432e2ed
Opcode Fuzzy Hash: 0cd23cb9de80bafee751b443558c84f6b31633c97a2983d89adc185a240431a0
Instruction Fuzzy Hash: DB61BF70608321AFD710DF64E849B5ABBE8EF59718F040909F9859B291D774EE48CBB2

Function 00D13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D133CF

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D133F0

Strings

Incorrect parameters to object property !, xrefs: 00D134AB
"%s" (%d) : ==> %s:, xrefs: 00D13522
"%s" (%d) : ==> %s:%s%s, xrefs: 00D13504
Error: , xrefs: 00D134D1
Line %d (File "%s"):, xrefs: 00D13443, 00D1345C
^ ERROR , xrefs: 00D1349E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9d582d073eebc92987407350a40b5d7708f45ae38f41c7bd4a0718ae11420c28
Instruction ID: f8da424bfac55d2d3d75a471ed80c33cdf421261dde8d46e98d90ad4595b222e
Opcode Fuzzy Hash: 9d582d073eebc92987407350a40b5d7708f45ae38f41c7bd4a0718ae11420c28
Instruction Fuzzy Hash: E9518A7190020AABDF14EBA0DD56EEEB779EF05344F144165B409B21A2EF316F98EB70

Function 00D0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D0B5FC
_wcslen.LIBCMT ref: 00D0B608
_wcslen.LIBCMT ref: 00D0B64D
_wcslen.LIBCMT ref: 00D0B68C
_wcslen.LIBCMT ref: 00D0B6C7

Strings

EXISTS, xrefs: 00D0B686, 00D0B68B
APPEND, xrefs: 00D0B6C1, 00D0B6C6
KEYS, xrefs: 00D0B647, 00D0B64C
REMOVE, xrefs: 00D0B602, 00D0B607

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 15f1c13ff0d1baf1a5227618448814ddfab02961aefda155df419e4007b0501f
Instruction ID: c05827b3bb8bdddf876c6fb1e7d8b8184676a9213727315126b74d763fa8397a
Opcode Fuzzy Hash: 15f1c13ff0d1baf1a5227618448814ddfab02961aefda155df419e4007b0501f
Instruction Fuzzy Hash: 8841A932A041279BCB105F7DC8906BE77A5ABA1774B68412BE469DF2C4E732CD81C7B0

Function 00D15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D15416
GetLastError.KERNEL32 ref: 00D15420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D154A7

Strings

UNKNOWN, xrefs: 00D15444
READONLY, xrefs: 00D15452
READY, xrefs: 00D15460, 00D15468
NOTREADY, xrefs: 00D1544B
INVALID, xrefs: 00D15459

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 68a1f5d57d8e0557460eb0f9f216096b02801937d55b1263eb8cf2318db64255
Instruction ID: e79221216e1171f0da7175795484c21bd4d2c91bd9110efa5182e1f94404c6cd
Opcode Fuzzy Hash: 68a1f5d57d8e0557460eb0f9f216096b02801937d55b1263eb8cf2318db64255
Instruction Fuzzy Hash: 5F318F35A00605EFC710DF68E484AEABBB4EB85309F188065E406DB396DB75DDC6CBB0

Function 00D33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D33C79
SetMenu.USER32(?,00000000), ref: 00D33C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D33D10
IsMenu.USER32(?), ref: 00D33D24
CreatePopupMenu.USER32 ref: 00D33D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D33D5B
DrawMenuBar.USER32 ref: 00D33D63

Strings

F, xrefs: 00D33D4E
0, xrefs: 00D33C54

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: cbb2be3d48b38b39274038241e0ed72eac28c9f85b7a01ace4a0c1728c276703
Instruction ID: 882e5b97f4070250a48093f47d222bde6bf1cd192cffb8cec7373f5742bf7880
Opcode Fuzzy Hash: cbb2be3d48b38b39274038241e0ed72eac28c9f85b7a01ace4a0c1728c276703
Instruction Fuzzy Hash: FD413979A01309AFDB14CF64E944AAA7BB5FF49350F180029F956E7360D770AA11CFA4

Function 00D01EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00D01F64
GetDlgCtrlID.USER32 ref: 00D01F6F
GetParent.USER32 ref: 00D01F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D01F8E
GetDlgCtrlID.USER32(?), ref: 00D01F97
GetParent.USER32(?), ref: 00D01FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D01FAE

Strings

ComboBox, xrefs: 00D01EEC
ListBox, xrefs: 00D01F21

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 009a3bf27840773d9fec3410f1de1d44b8cac556921a3978008ecb194d980f0f
Instruction ID: d00c0a8a5544c2ede4d3d0ea026e9ba612f9ac192325867be39afa0e42c3cffa
Opcode Fuzzy Hash: 009a3bf27840773d9fec3410f1de1d44b8cac556921a3978008ecb194d980f0f
Instruction Fuzzy Hash: 4B21CF75A00215BBCF04AFA0DC86EEEBBB8EF06354F004115F965A72E1CB389908DB70

Function 00D01FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00D02043
GetDlgCtrlID.USER32 ref: 00D0204E
GetParent.USER32 ref: 00D0206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D0206D
GetDlgCtrlID.USER32(?), ref: 00D02076
GetParent.USER32(?), ref: 00D0208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D0208D

Strings

ComboBox, xrefs: 00D01FCD
ListBox, xrefs: 00D02002

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6fcbc79d2fa2655538983ab7eda115d1da5e8318e0b1aadd717311ca3a1edeac
Instruction ID: 4176e5cd5caa9de8fd25cbab0e6547e8d7f0df9fdc35195bb678edaaa3029bd9
Opcode Fuzzy Hash: 6fcbc79d2fa2655538983ab7eda115d1da5e8318e0b1aadd717311ca3a1edeac
Instruction Fuzzy Hash: FF218E75A00214BBDB10AFA4DC8AAFEBBB8EB05344F004015F955A72A1DA798918DB70

Function 00D33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D33A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D33AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D33AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D33AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D33B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D33BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D33BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D33BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D33BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D33C13

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: fd47e767b536d9d5aae88730d273a5bbb00b5a1110a65231c99f5a0c4a5d5af0
Instruction ID: b9c29cd0babe19cf4d3f005780acd3dda98580b0e95029bf2081cad9526d9ca3
Opcode Fuzzy Hash: fd47e767b536d9d5aae88730d273a5bbb00b5a1110a65231c99f5a0c4a5d5af0
Instruction Fuzzy Hash: 82615A75900248AFDB10DFA8CD81EEE77B8EB09700F144199FA15E73A1D774AE85DB60

Function 00D0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D0B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D0B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B21D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 97795198cd34de458a1a2b3ce42cd0a84917d900b3a283fafcfecab49b611149
Instruction ID: 71f981aa0faba7f0d5a4ab237ae57da3202c48dacb0b696662d3409c15299774
Opcode Fuzzy Hash: 97795198cd34de458a1a2b3ce42cd0a84917d900b3a283fafcfecab49b611149
Instruction Fuzzy Hash: FD319C71614304BFDB109F24DC49B6D7BA9BB61321F145416FA09E73E0E7B49A808F79

Function 00CD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD2C94

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CD2CA0
_free.LIBCMT ref: 00CD2CAB
_free.LIBCMT ref: 00CD2CB6
_free.LIBCMT ref: 00CD2CC1
_free.LIBCMT ref: 00CD2CCC
_free.LIBCMT ref: 00CD2CD7
_free.LIBCMT ref: 00CD2CE2
_free.LIBCMT ref: 00CD2CED
_free.LIBCMT ref: 00CD2CFB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dcf52a5746fe457c68cec829c53de3cad386514a828de01cffe4630c756aa279
Instruction ID: a7dd70824550489c368a2d13fa02ebb941302ace938b5c2744ec2bea9412f21f
Opcode Fuzzy Hash: dcf52a5746fe457c68cec829c53de3cad386514a828de01cffe4630c756aa279
Instruction Fuzzy Hash: 26119376100108BFCB02EF54D892CDD3BA5FF15350F4144A6FA489B322DA31EE50BB90

Function 00CA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CA1459
OleUninitialize.OLE32(?,00000000), ref: 00CA14F8
UnregisterHotKey.USER32(?), ref: 00CA16DD
DestroyWindow.USER32(?), ref: 00CE24B9
FreeLibrary.KERNEL32(?), ref: 00CE251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CE254B

Strings

close all, xrefs: 00CA1454

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 4eeee29de0c86e4847a2095b0d7dc341e25512e7573a05d060b81ff174f78f60
Instruction ID: 9dc60aca8246a7c830ded049da99e5b2c8517db9bccabc5791043959cca6ceae
Opcode Fuzzy Hash: 4eeee29de0c86e4847a2095b0d7dc341e25512e7573a05d060b81ff174f78f60
Instruction Fuzzy Hash: 34D15F31702252CFCB19EF16C995B69F7A4BF06704F1942ADE84AAB251DB30ED12DF60

Function 00D17DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D17FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D17FC1
GetFileAttributesW.KERNEL32(?), ref: 00D17FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D18005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D180B0

Strings

*.*, xrefs: 00D18066

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d6d08b6c579c1bcbcbe32e7c3ebb753d7c55863e227f35d882b955631692d285
Instruction ID: 5b7f266c389d58999a2c6bd03a61b488495f4e2d459844c721af198c1c5c1ca4
Opcode Fuzzy Hash: d6d08b6c579c1bcbcbe32e7c3ebb753d7c55863e227f35d882b955631692d285
Instruction Fuzzy Hash: A281A172508246ABCB20EF54D844AEAB3E8BF89314F18485EF885D7261DF34DD859B62

Function 00CA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CA5C7A

Part of subcall function 00CA5D0A: GetClientRect.USER32(?,?), ref: 00CA5D30
Part of subcall function 00CA5D0A: GetWindowRect.USER32(?,?), ref: 00CA5D71
Part of subcall function 00CA5D0A: ScreenToClient.USER32(?,?), ref: 00CA5D99

GetDC.USER32 ref: 00CE46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CE4708
SelectObject.GDI32(00000000,00000000), ref: 00CE4716
SelectObject.GDI32(00000000,00000000), ref: 00CE472B
ReleaseDC.USER32(?,00000000), ref: 00CE4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CE47C4

Strings

U, xrefs: 00CE4693

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a4f053b2ac8b27f2286fd5a47e13b09c2c060399c35c373d4a38fd7bbe0aa577
Instruction ID: 06076ad739e324b03aa861ed1650f96a8999acaf462a2a59356371d4b29e1c11
Opcode Fuzzy Hash: a4f053b2ac8b27f2286fd5a47e13b09c2c060399c35c373d4a38fd7bbe0aa577
Instruction Fuzzy Hash: 50710634400345DFCF298F65C984ABA7BB5FF4A364F144269FD659A2AAC3308D41DFA0

Function 00D1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D135E4

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

LoadStringW.USER32(00D72390,?,00000FFF,?), ref: 00D1360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00D13742
^ ERROR, xrefs: 00D136C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00D13724
Error: , xrefs: 00D136EF
Line %d (File "%s"):, xrefs: 00D1366B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2688c42d1e9000095af5367e43f7be201b5484c8d8c0cbed58aeb9d7cdc77b58
Instruction ID: aaa7347da913501f59e72958ca470936c50989a7917d128759c450cebab9dd5b
Opcode Fuzzy Hash: 2688c42d1e9000095af5367e43f7be201b5484c8d8c0cbed58aeb9d7cdc77b58
Instruction Fuzzy Hash: C7516C7190021ABBDF15EBA0DC52EEEBB38EF05344F144125F105721A2EB306A99EBB0

Function 00D38B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

Part of subcall function 00CB912D: GetCursorPos.USER32(?), ref: 00CB9141
Part of subcall function 00CB912D: ScreenToClient.USER32(00000000,?), ref: 00CB915E
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000001), ref: 00CB9183
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000002), ref: 00CB919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D38B6B
ImageList_EndDrag.COMCTL32 ref: 00D38B71
ReleaseCapture.USER32 ref: 00D38B77
SetWindowTextW.USER32(?,00000000), ref: 00D38C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D38C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D38CFF

Strings

@GUI_DRAGFILE, xrefs: 00D38C9A
@GUI_DROPID, xrefs: 00D38C51

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 868aa079f9b91ddc9b6cf8059e04cb03fc477bffe32084d239d08e8953495afc
Instruction ID: 7526c5561be6701ba8a1a797344fb37bc4aec0ad3c12979953aaa98792b1c508
Opcode Fuzzy Hash: 868aa079f9b91ddc9b6cf8059e04cb03fc477bffe32084d239d08e8953495afc
Instruction Fuzzy Hash: 38517875204304AFD704DF24CC96FAA77E4FB88714F040629FA96A72A1DB70A944DBB2

Function 00D1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D1C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D1C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D1C2CA
GetLastError.KERNEL32 ref: 00D1C322
SetEvent.KERNEL32(?), ref: 00D1C336
InternetCloseHandle.WININET(00000000), ref: 00D1C341

Strings

, xrefs: 00D1C2BB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8df770c33595cc4f712f749451066d71de6e84f7f4d7075466b7faa1fe612a41
Instruction ID: 85b8de02a8be8b3d845b9fefcfe4caa5b8d69fd6b31e72912b173536b2ae2f66
Opcode Fuzzy Hash: 8df770c33595cc4f712f749451066d71de6e84f7f4d7075466b7faa1fe612a41
Instruction Fuzzy Hash: AB3191B1550304BFD7219F65AC88AAB7BFCEB49740B14A51DF496D2210DF30DD849B70

Function 00D0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CE3AAF,?,?,Bad directive syntax error,00D3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D098BC
LoadStringW.USER32(00000000,?,00CE3AAF,?), ref: 00D098C3

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D09987

Strings

Line %d:, xrefs: 00D09912
., xrefs: 00D0996D
Error: , xrefs: 00D09955
%s (%d) : ==> %s.: %s %s, xrefs: 00D098F1
Line %d (File "%s"):, xrefs: 00D0992D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c327b252ea59fdf52471f2e07aa72115a33cc4ba397dd5d82c245442926cd85f
Instruction ID: 66a45f3c581181a7afc0bc65a7c60b66b1bdd88c4cfb4fc3cb1273781fd9093f
Opcode Fuzzy Hash: c327b252ea59fdf52471f2e07aa72115a33cc4ba397dd5d82c245442926cd85f
Instruction Fuzzy Hash: 5D219132D4421AAFCF11EF90CC16EEE7735FF19304F045419F519620A2EB71A618EB60

Function 00D0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D0214D

Strings

smallicons, xrefs: 00D02115
SHELLDLL_DefView, xrefs: 00D020CC
largeicons, xrefs: 00D020E1
details, xrefs: 00D020FB
list, xrefs: 00D0212F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 8cd644abc4e74c4ac351689e69171387f15ce6e3ca9b881555f15c5f822757a4
Instruction ID: 148db872b8e915e3339cd509ec82c102d55e30c959672e2b0a069e9a09c954b0
Opcode Fuzzy Hash: 8cd644abc4e74c4ac351689e69171387f15ce6e3ca9b881555f15c5f822757a4
Instruction Fuzzy Hash: CB113676288306BAFA192224EC0BFB6739CCB05324F20001AFB4CA50E5EA61A8466635

Function 00CD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f404b8cad575d6617be695cd8dc4377021e9c37ce4e3efda76a69909a84859e
Instruction ID: 7ad4634c29ee09b0e1567b25c6a49b4a74889a14bf3122b298d67340912cfc0f
Opcode Fuzzy Hash: 7f404b8cad575d6617be695cd8dc4377021e9c37ce4e3efda76a69909a84859e
Instruction Fuzzy Hash: AFC1D478E04349AFDB11DFA8D841BADBFB1EF0D310F14419AE629A7392C7349A41DB61

Function 00CDCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CDCEB7
_free.LIBCMT ref: 00CDCF22
_free.LIBCMT ref: 00CDCF48
_free.LIBCMT ref: 00CDCF71
_free.LIBCMT ref: 00CDCFA9
_free.LIBCMT ref: 00CDCFDA
_free.LIBCMT ref: 00CDD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CDD09C
_free.LIBCMT ref: 00CDD0B5

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 796c2ca01cfb0ab6c014a8eb6517441a4f14b751c77c9ced7f14605a0d57a4f3
Instruction ID: 800fb2c067364976142690cd421b6c0280863bf80164b2354187e09d624f471f
Opcode Fuzzy Hash: 796c2ca01cfb0ab6c014a8eb6517441a4f14b751c77c9ced7f14605a0d57a4f3
Instruction Fuzzy Hash: 6D610671904312AFDB21AFF4D8C5AAA7BA5AF05320F04416FFB55D7382E6319A41E760

Function 00D350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D35186
ShowWindow.USER32(?,00000000), ref: 00D351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D351D1

Part of subcall function 00D36FBA: DeleteObject.GDI32(00000000), ref: 00D36FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D3520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D3521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D3524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D35287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D35296

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a344597cfbb26565dfa29f94c175072e10b5e026501038029113c6f06dad5d3f
Instruction ID: 8962af9d4dbba6fa28f7a6f9ca7fdbd39df2e76aeb66cd73063f624c0fb66a6c
Opcode Fuzzy Hash: a344597cfbb26565dfa29f94c175072e10b5e026501038029113c6f06dad5d3f
Instruction Fuzzy Hash: 8651B134A50B08BFEF209F24EC4ABD93BA5FB05361F184111FA19A62E4C775A990DB74

Function 00CB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CF6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CF68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CF68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CF68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CF68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CF6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CF691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CF692D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f0e1eb7b0d056ca9f3d0f7ae3bb567ffa7f74c46cb2b21f5170359d82c4cb9ed
Instruction ID: eb87e14ff9ed5ded551489c0a13ed2e4bbd06ae04357b18022925f288c7b7b95
Opcode Fuzzy Hash: f0e1eb7b0d056ca9f3d0f7ae3bb567ffa7f74c46cb2b21f5170359d82c4cb9ed
Instruction Fuzzy Hash: CD516974610309AFDB20CF25CC55BAA7BB9EB58750F104518FA66E72A0DB70EA90DB60

Function 00D1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D1C182
GetLastError.KERNEL32 ref: 00D1C195
SetEvent.KERNEL32(?), ref: 00D1C1A9

Part of subcall function 00D1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D1C272
Part of subcall function 00D1C253: GetLastError.KERNEL32 ref: 00D1C322
Part of subcall function 00D1C253: SetEvent.KERNEL32(?), ref: 00D1C336
Part of subcall function 00D1C253: InternetCloseHandle.WININET(00000000), ref: 00D1C341

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a51343d21edee0d9e8241ba41b3cf785b1e3f836aa3406af9a4310086e55a3b2
Instruction ID: 7d5d99584183a2f707639089785c343bbf2406602882b5c94da22087faad74f5
Opcode Fuzzy Hash: a51343d21edee0d9e8241ba41b3cf785b1e3f836aa3406af9a4310086e55a3b2
Instruction Fuzzy Hash: 7931AE712A1701BFDB219FA5EC04AABBBF8FF18300B04641DF996D6611DB30E8949B70

Function 00D025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D02601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D02605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D0260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D02623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D02627

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fedf4b115af0eefca71d6ce3c1ab1e9e725aba8a21df03d1e33186baa7a40726
Instruction ID: 7ea3df334ec29614039bc6419f3e2d03c033b0f27debc5c3f3b264f6d6804592
Opcode Fuzzy Hash: fedf4b115af0eefca71d6ce3c1ab1e9e725aba8a21df03d1e33186baa7a40726
Instruction Fuzzy Hash: 1C01B1313A0310BBFB1067699C8EF593E59DB5AB12F101001F358EE1E1C9E264449A79

Function 00D01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D01449,?,?,00000000), ref: 00D0180C
HeapAlloc.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D01813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D01449,?,?,00000000), ref: 00D01828
GetCurrentProcess.KERNEL32(?,00000000,?,00D01449,?,?,00000000), ref: 00D01830
DuplicateHandle.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D01833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D01449,?,?,00000000), ref: 00D01843
GetCurrentProcess.KERNEL32(00D01449,00000000,?,00D01449,?,?,00000000), ref: 00D0184B
DuplicateHandle.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D0184E
CreateThread.KERNEL32(00000000,00000000,00D01874,00000000,00000000,00000000), ref: 00D01868

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9dabeed0a30c5adbe5a6805c3a69b40e8d5ab9fa98c7470cabb658fa4e31e5a9
Instruction ID: 2780c21e59d3e840d37f6f4857b0e6aae269685854a3fa536563e113dc699e25
Opcode Fuzzy Hash: 9dabeed0a30c5adbe5a6805c3a69b40e8d5ab9fa98c7470cabb658fa4e31e5a9
Instruction Fuzzy Hash: 4F01BBB5250308BFE710ABA5DC4DF6B3BACEB89B11F009411FA05EB2A1CA70D810DB30

Function 00D2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D0D501
Part of subcall function 00D0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D0D50F
Part of subcall function 00D0D4DC: CloseHandle.KERNEL32(00000000), ref: 00D0D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2A16D
GetLastError.KERNEL32 ref: 00D2A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D2A268
GetLastError.KERNEL32(00000000), ref: 00D2A273
CloseHandle.KERNEL32(00000000), ref: 00D2A2C4

Strings

SeDebugPrivilege, xrefs: 00D2A18F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bd43f9378056aabae38ce5f811021c5facbcfc4018c3a4a19ed0bbaeac219ec6
Instruction ID: 9c2da6944fdc9e05673dcac72182b05da6c4888ad2328cbbfa4f20c3aea017e3
Opcode Fuzzy Hash: bd43f9378056aabae38ce5f811021c5facbcfc4018c3a4a19ed0bbaeac219ec6
Instruction Fuzzy Hash: 9E617B302042529FD720DF18D894F15BBA1EF5531CF19849CE46A8B7A3C772EC45CBA6

Function 00D33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D33925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D3393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D33954
_wcslen.LIBCMT ref: 00D33999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D339F4

Strings

SysListView32, xrefs: 00D338F7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: bd0f9eaf6ffc9e87797e824b115b7f40718327840f5da3ede7beb5f5fb4d1905
Instruction ID: 4b97dfdb7b6d28cdc3dce10fb7f40028d0d2c5c25cca24106e89eb2fb667b5d4
Opcode Fuzzy Hash: bd0f9eaf6ffc9e87797e824b115b7f40718327840f5da3ede7beb5f5fb4d1905
Instruction Fuzzy Hash: C741A271A00319ABEB219F64CC45FEA77A9FF08354F140526F958E7291D7B1D984CBB0

Function 00D0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D0BCFD
IsMenu.USER32(00000000), ref: 00D0BD1D
CreatePopupMenu.USER32 ref: 00D0BD53
GetMenuItemCount.USER32(016453F8), ref: 00D0BDA4
InsertMenuItemW.USER32(016453F8,?,00000001,00000030), ref: 00D0BDCC

Strings

0, xrefs: 00D0BCA8
2, xrefs: 00D0BD37

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 76e241556fbd9c52c0d69b61439a2786121ac165c07adc9d3703be3293910aa8
Instruction ID: 01302db1e09cce9f5bf6a124c4402e1b7c131a5f66cc317667e668675c6ec278
Opcode Fuzzy Hash: 76e241556fbd9c52c0d69b61439a2786121ac165c07adc9d3703be3293910aa8
Instruction Fuzzy Hash: 80518F70A08206DBDB10DFA9D884BAEFBF4EF45324F18425AE45AE72D1E7709941CB71

Function 00D0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D0C913

Strings

warning, xrefs: 00D0C8FC
question, xrefs: 00D0C8CC
blank, xrefs: 00D0C895
stop, xrefs: 00D0C8E4
info, xrefs: 00D0C8B4

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0507de4b54e2545bbb24235a4f5eacfd78ed76e0a986fef6d6cd6757dd9fcd9b
Instruction ID: 5d958c48a550466da9f7f812212bd862e74f9c9596fe14f783b1ab1ee32669fa
Opcode Fuzzy Hash: 0507de4b54e2545bbb24235a4f5eacfd78ed76e0a986fef6d6cd6757dd9fcd9b
Instruction Fuzzy Hash: 30113D31699306BFE7089B14EC83FAA379CDF15315B20512EF908A62C2D770DD006678

Function 00D0DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D0DE42
gethostname.WSOCK32(?,00000100), ref: 00D0DE5C
gethostbyname.WSOCK32(?), ref: 00D0DE69
inet_ntoa.WSOCK32(?), ref: 00D0DEAB
_strcat.LIBCMT ref: 00D0DEB9
WSACleanup.WSOCK32 ref: 00D0DEDE

Strings

0.0.0.0, xrefs: 00D0DE87

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2b77e355531db96b4f389643f0eb2079201717242928d92bea2f59971bdd8229
Instruction ID: 25e5c6410ed71ef936f746efeebeefa64fc028718fb65509507130a0c322932d
Opcode Fuzzy Hash: 2b77e355531db96b4f389643f0eb2079201717242928d92bea2f59971bdd8229
Instruction Fuzzy Hash: CD110672904214AFCB24AB60DC0AFEE77ADDF10710F04016AF489EA1D1EF71CA819B70

Function 00D39F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

GetSystemMetrics.USER32(0000000F), ref: 00D39FC7
GetSystemMetrics.USER32(0000000F), ref: 00D39FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D3A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D3A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D3A263
ShowWindow.USER32(00000003,00000000), ref: 00D3A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D3A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D3A2CA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2595d06960f5e4ba18a341745d2c023b0a58b94129fa0b26805f9850cf50da87
Instruction ID: 26baef47d5cd052a36a3373fd5b4fdde0c4af3a77ac770c2f9f3fcf10a609a3a
Opcode Fuzzy Hash: 2595d06960f5e4ba18a341745d2c023b0a58b94129fa0b26805f9850cf50da87
Instruction Fuzzy Hash: 3DB18835600215EFDF14CF6CC985BAE7BB2FF48701F099069EC89AB299D771A940CB61

Function 00D0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D0ED2A
_wcslen.LIBCMT ref: 00D0ED3B
_wcslen.LIBCMT ref: 00D0ED79
_wcslen.LIBCMT ref: 00D0EDAF
_wcslen.LIBCMT ref: 00D0EDDF
_wcslen.LIBCMT ref: 00D0EDEF
_wcslen.LIBCMT ref: 00D0EE2B
_wcslen.LIBCMT ref: 00D0EE5A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b61169e058be06b896f2ec9ca0f14a630694cea23880a2088080e9a0713cf79a
Instruction ID: bf96c8f69aadfa4f9ecb62e1e4ef55a9ecdd8899cadcecf18c262d02e5a944cc
Opcode Fuzzy Hash: b61169e058be06b896f2ec9ca0f14a630694cea23880a2088080e9a0713cf79a
Instruction Fuzzy Hash: 9D418065C1021875CB11EBB4C88AFDFB7ACAF45710F50886AF518E3161FB34E655C3A5

Function 00CBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CBF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CFF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CFF454

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 04de17bff5c0b72367b505fb9520c557831770e473f88d02bf1f075156c64cb9
Instruction ID: 314d6e328ac1a10e2f26a15b0179420cae324b294d53e2eca6b7496ed179a8f8
Opcode Fuzzy Hash: 04de17bff5c0b72367b505fb9520c557831770e473f88d02bf1f075156c64cb9
Instruction Fuzzy Hash: E8412A31A08744FAC7798B2D8C887BA7B91EF56310F14453CE1A792770D631AA83DB21

Function 00D32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D32D1B
GetDC.USER32(00000000), ref: 00D32D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D32D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D32D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D32D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D32D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D32DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D32DE1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6598331dbc36185a4a0ac4279affd76f95968d8a302c3a20657e1dfa65e5d691
Instruction ID: abcc1b484913d2b6f1a7384ac143e4ae77820973843b0b775c66fef91755ba6e
Opcode Fuzzy Hash: 6598331dbc36185a4a0ac4279affd76f95968d8a302c3a20657e1dfa65e5d691
Instruction Fuzzy Hash: DD316B72211614BBEB218F50DC8AFFB3BA9EB09755F084055FE08EA2A1D6759C50CBB4

Function 00D05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D05637
_memcmp.LIBVCRUNTIME ref: 00D05659
_memcmp.LIBVCRUNTIME ref: 00D05671
_memcmp.LIBVCRUNTIME ref: 00D05684
_memcmp.LIBVCRUNTIME ref: 00D0569E
_memcmp.LIBVCRUNTIME ref: 00D056B1
_memcmp.LIBVCRUNTIME ref: 00D056C9
_memcmp.LIBVCRUNTIME ref: 00D056E4

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c391786bedb5dee59a38ff56f618c136ff2af865908de530d546fc030b73bfbe
Instruction ID: cfcc35b43fc1aa386b25ff1c0cb93b7e49d3ab0a9728132156c0f669e13b5cc2
Opcode Fuzzy Hash: c391786bedb5dee59a38ff56f618c136ff2af865908de530d546fc030b73bfbe
Instruction Fuzzy Hash: 1A21AA61A40A09BBD3145611EE82FBB335CAF62384F8C0024FD0D5A5C6F762ED149DB5

Function 00D24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00D25007
NULL Pointer assignment, xrefs: 00D2502E, 00D25383

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9845b311214b42b1cac3c2db5ed4c3b5c2f260218bd68f73d0c38bc342018283
Instruction ID: 2ab83370184216f314af79970a30e57e1a8a019d687641559ec4286910d05abe
Opcode Fuzzy Hash: 9845b311214b42b1cac3c2db5ed4c3b5c2f260218bd68f73d0c38bc342018283
Instruction Fuzzy Hash: 21D1A171A0061A9FDF10CF98E880FAEB7B5BF58348F188069E915AB285D771DD45CBB0

Function 00CE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00CE15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00CE17FB,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE16FB

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE1777
__freea.LIBCMT ref: 00CE17A2
__freea.LIBCMT ref: 00CE17AE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f9a8f598a9f23ccf5bfa512142b6503206cdbf9afaf3a7f0b25f9522836bda67
Instruction ID: 8c6d5db0a73fc4aa5fdd8828b8f6b7841e577139c1dcca7652a763628243a97a
Opcode Fuzzy Hash: f9a8f598a9f23ccf5bfa512142b6503206cdbf9afaf3a7f0b25f9522836bda67
Instruction Fuzzy Hash: A191D271E012869ADB208F66C881EEE7BB5EF49710F1C4619ED22E7281D735CE50CB60

Function 00D24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D24648
VariantInit.OLEAUT32(?), ref: 00D24749
VariantClear.OLEAUT32(?), ref: 00D24753
VariantClear.OLEAUT32(?), ref: 00D247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00D245D8, 00D24706, 00D247BE
Incorrect Object type in FOR..IN loop, xrefs: 00D2472C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: fee064d5886e80369a274d4d718dfaf2ea0769e77f377516c334ac8ddf088e2e
Instruction ID: 48c5913aee36807a6d05350667f2031861cb7387defcf972d930e6cd792bbd8a
Opcode Fuzzy Hash: fee064d5886e80369a274d4d718dfaf2ea0769e77f377516c334ac8ddf088e2e
Instruction Fuzzy Hash: 5591A070A00229AFDF20CFA4D844FAEBBB8EF56719F148559F915AB280D7709945CFB0

Function 00D11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D1125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D11284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D1135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D11430

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7743ad1db1472af5220d72d91c753fa61dd34e8ceb32987256dbbc4c53c58d4e
Instruction ID: 61cc3b178c975b0f1810828601df5a856890269b04a6192790783160ef963cb8
Opcode Fuzzy Hash: 7743ad1db1472af5220d72d91c753fa61dd34e8ceb32987256dbbc4c53c58d4e
Instruction Fuzzy Hash: 4291F079A00219BFDB009FA4E885BFEB7B5FF05714F144029E640E7291DB74A981CBB0

Function 00CB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8dadd11c20a4ff29a370f5af6ae571ed9135864eba95b60fec25091015fb7580
Instruction ID: 904c110b82150353174f1792ce5faee77509894d97338d6b23cb66fc84ded0ca
Opcode Fuzzy Hash: 8dadd11c20a4ff29a370f5af6ae571ed9135864eba95b60fec25091015fb7580
Instruction Fuzzy Hash: 39913771D40219EFCB14CFA9CC84AEEBBB8FF49320F148159E615B7251D374AA46DB60

Function 00D23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D2396B
CharUpperBuffW.USER32(?,?), ref: 00D23A7A
_wcslen.LIBCMT ref: 00D23A8A
VariantClear.OLEAUT32(?), ref: 00D23C1F

Part of subcall function 00D10CDF: VariantInit.OLEAUT32(00000000), ref: 00D10D1F
Part of subcall function 00D10CDF: VariantCopy.OLEAUT32(?,?), ref: 00D10D28
Part of subcall function 00D10CDF: VariantClear.OLEAUT32(?), ref: 00D10D34

Strings

AUTOIT.ERROR, xrefs: 00D23A80, 00D23A85
Incorrect Parameter format, xrefs: 00D239A6, 00D23BA1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 735a23a94bef11261da7c92a5cd07054f945d100c18983f26fefad42a9159754
Instruction ID: 7bb8024616c986dcb852f21f43081eb89cc81a12169ca818caad686a0a5d6e89
Opcode Fuzzy Hash: 735a23a94bef11261da7c92a5cd07054f945d100c18983f26fefad42a9159754
Instruction Fuzzy Hash: FC919A746083119FC704EF28D48196AB7E4FF99318F04882DF88A97351DB35EE45CBA2

Function 00D24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?,?,00D0035E), ref: 00D0002B
Part of subcall function 00D0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00046
Part of subcall function 00D0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00054
Part of subcall function 00D0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?), ref: 00D00064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D24C51
_wcslen.LIBCMT ref: 00D24D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D24DCF
CoTaskMemFree.OLE32(?), ref: 00D24DDA

Strings

NULL Pointer assignment, xrefs: 00D24E23, 00D24E52

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3135e9536914cca4f9838e4b81de072fe299f71e6c7fd729840eebc22fd88b3e
Instruction ID: 3542865704b91dba9d48dcf55a7bf10d24fef9fd4ee54b5707a167e326ba837a
Opcode Fuzzy Hash: 3135e9536914cca4f9838e4b81de072fe299f71e6c7fd729840eebc22fd88b3e
Instruction Fuzzy Hash: EF912871D0022DAFDF14DFA4D891AEEB7B8FF08314F108169E915A7291DB349A44DFA0

Function 00D320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D32183
GetMenuItemCount.USER32(00000000), ref: 00D321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D321DD
_wcslen.LIBCMT ref: 00D32213
GetMenuItemID.USER32(?,?), ref: 00D3224D
GetSubMenu.USER32(?,?), ref: 00D3225B

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D322E3

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6a3590da3fb2574982e883fadca6c5326b1abcdc159598ff9c5782c2a0498a7b
Instruction ID: cf9e971bafb4afff66f547f29ffc03aa59f328a27ab431005d9e7a43a968fca4
Opcode Fuzzy Hash: 6a3590da3fb2574982e883fadca6c5326b1abcdc159598ff9c5782c2a0498a7b
Instruction Fuzzy Hash: D0716B75E00215AFCB10EFA8C885ABEB7F5EF49310F148459E956EB351DB34EE418BA0

Function 00D37E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016456F0), ref: 00D37F37
IsWindowEnabled.USER32(016456F0), ref: 00D37F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D3801E
SendMessageW.USER32(016456F0,000000B0,?,?), ref: 00D38051
IsDlgButtonChecked.USER32(?,?), ref: 00D38089
GetWindowLongW.USER32(016456F0,000000EC), ref: 00D380AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D380C3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8d448d3812fd70c3a2e44c3c9c1ba2c5724d44239dea542c98e2e43e4e7c5994
Instruction ID: cbba423c312048f279a5a3e61d13962b2fd511d4a27deb53add7ce9601ef41c1
Opcode Fuzzy Hash: 8d448d3812fd70c3a2e44c3c9c1ba2c5724d44239dea542c98e2e43e4e7c5994
Instruction Fuzzy Hash: 13716AB5608B04AFEB359F64C884FAABBB9FF09340F184459F955973A1CB31A845DB30

Function 00D0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D0AEF9
GetKeyboardState.USER32(?), ref: 00D0AF0E
SetKeyboardState.USER32(?), ref: 00D0AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D0AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D0AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D0AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D0B020

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bdc618cb58f02074e8073e467dbff0008dd19a18ace8cfae489748e4788e55b7
Instruction ID: 051611c333597ae963ab022007a36d9c9ac6f7e57ba3c48dccc6ee7a036ddaab
Opcode Fuzzy Hash: bdc618cb58f02074e8073e467dbff0008dd19a18ace8cfae489748e4788e55b7
Instruction Fuzzy Hash: D651A0A06187D63DFB3683388845BBABEA95F06314F0C858AF1DD954D2C3D8AC84D771

Function 00D0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D0AD19
GetKeyboardState.USER32(?), ref: 00D0AD2E
SetKeyboardState.USER32(?), ref: 00D0AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D0ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D0ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D0AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D0AE38

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a86f6748f2e2b17c6f4b6343e5b1d693fcb497dd3c725ce4b5b1f5d54b8975c4
Instruction ID: b40375748215d7c4dd52297180cfe8af5abe3abc266ceb1454aa06f7d8342fa5
Opcode Fuzzy Hash: a86f6748f2e2b17c6f4b6343e5b1d693fcb497dd3c725ce4b5b1f5d54b8975c4
Instruction Fuzzy Hash: 6F51B4A16187D53DFB368338CC55BBABEA99B46300F0C8589F1DD568C2D294EC88D772

Function 00CD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CE3CD6,?,?,?,?,?,?,?,?,00CD5BA3,?,?,00CE3CD6,?,?), ref: 00CD5470
__fassign.LIBCMT ref: 00CD54EB
__fassign.LIBCMT ref: 00CD5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CE3CD6,00000005,00000000,00000000), ref: 00CD552C
WriteFile.KERNEL32(?,00CE3CD6,00000000,00CD5BA3,00000000,?,?,?,?,?,?,?,?,?,00CD5BA3,?), ref: 00CD554B
WriteFile.KERNEL32(?,?,00000001,00CD5BA3,00000000,?,?,?,?,?,?,?,?,?,00CD5BA3,?), ref: 00CD5584

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d55fcc0baf4ba5aef6af2e628c71d686b2d817d78b9a041f38f26f41f4ae17a6
Instruction ID: bf995f4741aea3841ab001b8f3f71ab1e190c23d3f6e0b8597f3a818ab954666
Opcode Fuzzy Hash: d55fcc0baf4ba5aef6af2e628c71d686b2d817d78b9a041f38f26f41f4ae17a6
Instruction Fuzzy Hash: EA519171A00749AFDB11CFA8E845AEEBBF9EF09300F14411BE655E7391E7309A41CB61

Function 00CC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CC2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CC2D53
_ValidateLocalCookies.LIBCMT ref: 00CC2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CC2E0C
_ValidateLocalCookies.LIBCMT ref: 00CC2E61

Strings

csm, xrefs: 00CC2DF6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6196a7a2ddfd3c45995ad3f65d5edc9f12229921c7d2a9d585260e0f946be06e
Instruction ID: 79f66322ada9b429e1e9e7c0b4e3b5642e678aca27f2b583bbbf09d4ce53abd2
Opcode Fuzzy Hash: 6196a7a2ddfd3c45995ad3f65d5edc9f12229921c7d2a9d585260e0f946be06e
Instruction Fuzzy Hash: DA41C134E00249ABCF10DF68C845F9EBBB5BF44324F14815DE825AB392DB31AA05CBE0

Function 00D210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
Part of subcall function 00D2304E: _wcslen.LIBCMT ref: 00D2309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D21112
WSAGetLastError.WSOCK32 ref: 00D21121
WSAGetLastError.WSOCK32 ref: 00D211C9
closesocket.WSOCK32(00000000), ref: 00D211F9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e54b79319fa914af6f36cf4be49695bcd4a50b96375fb824c1303343fae41a51
Instruction ID: 7f2041e0c0c34e4fdc85a7525cd301b58e45f24c53967b18f6115ebafdf8c831
Opcode Fuzzy Hash: e54b79319fa914af6f36cf4be49695bcd4a50b96375fb824c1303343fae41a51
Instruction Fuzzy Hash: 2B410135600324AFDB119F24D884BAAB7A9EF61328F188018FD05AB281C770EE418BB1

Function 00D0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D0CF22,?), ref: 00D0DDFD

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D0CF22,?), ref: 00D0DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D0CF45
MoveFileW.KERNEL32(?,?), ref: 00D0CF7F
_wcslen.LIBCMT ref: 00D0D005
_wcslen.LIBCMT ref: 00D0D01B
SHFileOperationW.SHELL32(?), ref: 00D0D061

Strings

\*.*, xrefs: 00D0CFF3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a797499701f0ff13710b3c812e5c19e641441fed96d210483201cbecb4326902
Instruction ID: 3292391fafd17dbc7ae04cbba0e397bb126177e415d07a0adbc62297748b3ed8
Opcode Fuzzy Hash: a797499701f0ff13710b3c812e5c19e641441fed96d210483201cbecb4326902
Instruction Fuzzy Hash: CF4158719452195FDF12EFA4D981FDE77B9EF48380F0410E6E509E7181EA34A648CB71

Function 00D32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D32E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D32E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D32E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D32EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D32EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D32EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D32F0B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5432cf751552a2084b7b05e60723376bcae83ed7bfe52ffc73ac21a54dfc7f7a
Instruction ID: 1e9336710399018c01d1f5894496ecccf337bedb4a72c34923cf345dc9eba91a
Opcode Fuzzy Hash: 5432cf751552a2084b7b05e60723376bcae83ed7bfe52ffc73ac21a54dfc7f7a
Instruction Fuzzy Hash: AB310435A04250AFDB21CF58DC86F6537E1FB8AB10F191164FA14EF2B1CB71A881DB61

Function 00D07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D0778F
SysAllocString.OLEAUT32(00000000), ref: 00D07792
SysAllocString.OLEAUT32(?), ref: 00D077B0
SysFreeString.OLEAUT32(?), ref: 00D077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D077DE
SysAllocString.OLEAUT32(?), ref: 00D077EC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9bc97a2a95282f0150f101a32e3b51589ef5f45d7595be40904a39d8aba3c72e
Instruction ID: 466131958b490df25031afe4abf74cb6d13b60df3dc570a7005340fba6590e71
Opcode Fuzzy Hash: 9bc97a2a95282f0150f101a32e3b51589ef5f45d7595be40904a39d8aba3c72e
Instruction Fuzzy Hash: 4421A776A04219AFDF10DFA8CC84DBB77ACEB497A4B048025F919DF291D670ED418770

Function 00D077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07868
SysAllocString.OLEAUT32(00000000), ref: 00D0786B
SysAllocString.OLEAUT32 ref: 00D0788C
SysFreeString.OLEAUT32 ref: 00D07895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D078AF
SysAllocString.OLEAUT32(?), ref: 00D078BD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: be9ef8b23c8099fd0d1e843bcfef60a917f0bc8ee7817caa966bf59f91bd4368
Instruction ID: a5e75e1e281dfd405b86a10f1ea4630fc7b7a3ed3c7b6a209efa6a0a021f51e0
Opcode Fuzzy Hash: be9ef8b23c8099fd0d1e843bcfef60a917f0bc8ee7817caa966bf59f91bd4368
Instruction Fuzzy Hash: 3E213036A08204AFDB109FA8DC89EAA77ACEB097607148125F919DB2A1D674FC41DB74

Function 00D104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D1052E

Strings

nul, xrefs: 00D10567

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e9ba8831fe9ecf8e37f418d8dd1a7147feb0c4c07e1a3ecdc0b077307de23220
Instruction ID: dabab033b33445448af623a5334049e5c00e3aa7e4d6ebc5366f8641a157ff25
Opcode Fuzzy Hash: e9ba8831fe9ecf8e37f418d8dd1a7147feb0c4c07e1a3ecdc0b077307de23220
Instruction Fuzzy Hash: 1B212375500305ABEB206F69E844A9A7BB5AF44764F244A19E8A1E62D0DBB0D9D0CF30

Function 00D105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D10601

Strings

nul, xrefs: 00D10639

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f49e243773d8aaba0158590c0264c7fa92d0647c31e29f996bca43a4df9e12a8
Instruction ID: 33bb9c96eb89b27a11dd46ed21bd7bfb1e57b9c8f72a952a5d6b1088a560390c
Opcode Fuzzy Hash: f49e243773d8aaba0158590c0264c7fa92d0647c31e29f996bca43a4df9e12a8
Instruction Fuzzy Hash: 64215B75500305ABDB106F69AC44ADA7BE4AF95720F244A19F8A1E72D0DBF099E0CB70

Function 00D340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
Part of subcall function 00CA600E: GetStockObject.GDI32(00000011), ref: 00CA6060
Part of subcall function 00CA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D34112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D3411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D3412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D34139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D34145

Strings

Msctls_Progress32, xrefs: 00D340E3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dc715b382e91c7498b8458d673ddd32566c8196221610b3b8866c6b1d330f496
Instruction ID: 142e41f99ed52c0202fa9f44c7071c8ccb92468699675489657956a18b6ad284
Opcode Fuzzy Hash: dc715b382e91c7498b8458d673ddd32566c8196221610b3b8866c6b1d330f496
Instruction Fuzzy Hash: 391190B215021ABEEF118E64CC86EE77F5DEF08798F014111FA18A2150CA769C619BB4

Function 00CDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CDD7A3: _free.LIBCMT ref: 00CDD7CC

_free.LIBCMT ref: 00CDD82D

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDD838
_free.LIBCMT ref: 00CDD843
_free.LIBCMT ref: 00CDD897
_free.LIBCMT ref: 00CDD8A2
_free.LIBCMT ref: 00CDD8AD
_free.LIBCMT ref: 00CDD8B8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9c8f76f65d9a0d3ad1aa7e4f36195f1cf5df6eb1ebf95f62db33ad2f5850a3e5
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 4B115E71940B04AAD621BFB0CC87FCB7BDCAF10700F4108A6B39EE6292DA65B505B660

Function 00D0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D0DA74
LoadStringW.USER32(00000000), ref: 00D0DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D0DA91
LoadStringW.USER32(00000000), ref: 00D0DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D0DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D0DAB9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 849725f934f51805183a6606367678b65249e95522c8809794ac03c1839d45db
Instruction ID: 1818614a406e4f1595f7cd42037dca6f9c4a6f39f0af186d5d95f7df3a1f0eee
Opcode Fuzzy Hash: 849725f934f51805183a6606367678b65249e95522c8809794ac03c1839d45db
Instruction Fuzzy Hash: 890162F29103087FE7109BA09D89EE7726CE708301F401496B746F2181EA749E848F74

Function 00D1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0163D320,0163D320), ref: 00D1097B
EnterCriticalSection.KERNEL32(0163D300,00000000), ref: 00D1098D
TerminateThread.KERNEL32(?,000001F6), ref: 00D1099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00D109A9
CloseHandle.KERNEL32(?), ref: 00D109B8
InterlockedExchange.KERNEL32(0163D320,000001F6), ref: 00D109C8
LeaveCriticalSection.KERNEL32(0163D300), ref: 00D109CF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 02cac1ba8982a6de120674ef6f0d1a20738b6bf04effdb499c9a697ee6a935a6
Instruction ID: 0e7d518ff56801c3f7a2e9c12b45c3068cd2891d3f48251b3bd11bc49de482d1
Opcode Fuzzy Hash: 02cac1ba8982a6de120674ef6f0d1a20738b6bf04effdb499c9a697ee6a935a6
Instruction Fuzzy Hash: 2CF01D31552602BBD7415B94EE88AD67A25BF05702F442015F101A09A1CBB494B5CFA4

Function 00D21C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D21DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D21DE1
WSAGetLastError.WSOCK32 ref: 00D21DF2
htons.WSOCK32(?,?,?,?,?), ref: 00D21EDB
inet_ntoa.WSOCK32(?), ref: 00D21E8C

Part of subcall function 00D039E8: _strlen.LIBCMT ref: 00D039F2

Part of subcall function 00D23224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00D1EC0C), ref: 00D23240

_strlen.LIBCMT ref: 00D21F35

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 249c5ca912fa084a6c42c7cc7910a83dace6834eb4f0ff241d87b223340bdee2
Instruction ID: d62c6a1635275b5fee8ba3d798847a8aeab2284633010e5edc1c7aa24c888f9a
Opcode Fuzzy Hash: 249c5ca912fa084a6c42c7cc7910a83dace6834eb4f0ff241d87b223340bdee2
Instruction Fuzzy Hash: 19B1F135604311AFC324DF24D885E6A77E5AFA531CF58854CF4565B2E2CB31ED42CBA1

Function 00CA5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CA5D30
GetWindowRect.USER32(?,?), ref: 00CA5D71
ScreenToClient.USER32(?,?), ref: 00CA5D99
GetClientRect.USER32(?,?), ref: 00CA5ED7
GetWindowRect.USER32(?,?), ref: 00CA5EF8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 8e17328439945cd9082b436427e15faae0a4a2c4ecba97ebb3f5e18dcb95c883
Instruction ID: a0754e94fbcf5f66c563b9ff04da816a0879478a8fd17e1217ca61b155c624bd
Opcode Fuzzy Hash: 8e17328439945cd9082b436427e15faae0a4a2c4ecba97ebb3f5e18dcb95c883
Instruction Fuzzy Hash: 24B18B75A00B8ADBDB14CFAAC4807EEB7F1FF58314F14941AE8A9D7250DB34AA41CB50

Function 00CD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CD00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD00D6
__allrem.LIBCMT ref: 00CD00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD010B
__allrem.LIBCMT ref: 00CD0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD0140

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 20148fe604c62e86bca5e8c82d160848b61030372067dde942d11f3a6b181f22
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 5581D372A00706ABE724AB6DCC42B6E73E9EF41364F25412FF661D7381E770EA419790

Function 00CD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CC82D9,00CC82D9,?,?,?,00CD644F,00000001,00000001,8BE85006), ref: 00CD6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CD644F,00000001,00000001,8BE85006,?,?,?), ref: 00CD62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CD63D8
__freea.LIBCMT ref: 00CD63E5

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

__freea.LIBCMT ref: 00CD63EE
__freea.LIBCMT ref: 00CD6413

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f14ea15bf5d1829040f72d7fc49aa2179e886de527b84c3c52c68d408e1e76d3
Instruction ID: eebf55673c44fc407f7fb25f3e1ce060ab239131f20eccb6cd7e6648c36c7b2a
Opcode Fuzzy Hash: f14ea15bf5d1829040f72d7fc49aa2179e886de527b84c3c52c68d408e1e76d3
Instruction Fuzzy Hash: 8D51F272600216ABDB258F64CC81EBF7BA9EF44710F15422AFF15D7291EB34DD40D660

Function 00D2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D2BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D2BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D2BDF3
RegCloseKey.ADVAPI32(?), ref: 00D2BDFF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b530581741e677ff3353d5ca434563312231e7dbbf1963b52ef1b0d06fa39579
Instruction ID: b63abb8a09ed082b8ded185169e8698e929ef433cb058fc10bb69a6b24eb8845
Opcode Fuzzy Hash: b530581741e677ff3353d5ca434563312231e7dbbf1963b52ef1b0d06fa39579
Instruction Fuzzy Hash: 2381B130108241AFC714DF24C885E6ABBE5FF8531CF14895DF4968B2A2CB71ED45DBA2

Function 00CFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CFF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CFF860
VariantCopy.OLEAUT32(00CFFA64,00000000), ref: 00CFF889
VariantClear.OLEAUT32(00CFFA64), ref: 00CFF8AD
VariantCopy.OLEAUT32(00CFFA64,00000000), ref: 00CFF8B1
VariantClear.OLEAUT32(?), ref: 00CFF8BB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 9f5eabfe764845fdda36c922396746dce5c816c228248119ae8b8fae88a3d051
Instruction ID: 1826281ead472c9c8c427c139d568064e4cba95c74e47a7b0c5f0f2e0b53805e
Opcode Fuzzy Hash: 9f5eabfe764845fdda36c922396746dce5c816c228248119ae8b8fae88a3d051
Instruction Fuzzy Hash: E3510731500318BBCF64AF65D895B39B3A4EF45310F20946EEA01DF292DBB08D42E767

Function 00D1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D194E5
_wcslen.LIBCMT ref: 00D19506
_wcslen.LIBCMT ref: 00D1952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D19585

Strings

X, xrefs: 00D19412

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c721c04f24fdf51128a5ec7963065e6db38fa9024e5a36e193a70b5f80497f9c
Instruction ID: b7cdeeaf50010c859db31902b72d9a470d6e88c0b2dc3ce40e948270ef60e132
Opcode Fuzzy Hash: c721c04f24fdf51128a5ec7963065e6db38fa9024e5a36e193a70b5f80497f9c
Instruction Fuzzy Hash: A8E1C2315083419FD714DF24D8A1AAAB7E5FF85314F08896CF8999B2A2DB30DD45CBA2

Function 00CB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

BeginPaint.USER32(?,?,?), ref: 00CB9241
GetWindowRect.USER32(?,?), ref: 00CB92A5
ScreenToClient.USER32(?,?), ref: 00CB92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CB92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CB9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CF71EA

Part of subcall function 00CB9339: BeginPath.GDI32(00000000), ref: 00CB9357

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c688d54c957739f79b4d813fe666915a9abeca04e0561aabbe9b8792d84b92c6
Instruction ID: dc52275d7ca2977ae85af3eb07a3c1a4296b3aa8f9ca02028471a2e1a515d24a
Opcode Fuzzy Hash: c688d54c957739f79b4d813fe666915a9abeca04e0561aabbe9b8792d84b92c6
Instruction Fuzzy Hash: BF418E75104300AFD721DF29CC85FBA7BB8EB45320F144229FA69D72B2D7319945DB62

Function 00D107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D1080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D10847
EnterCriticalSection.KERNEL32(?), ref: 00D10863
LeaveCriticalSection.KERNEL32(?), ref: 00D108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D10921

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ae98c4ceb0c9d5c17344b3bab5f71a40d8ff826ddd98e59a95e69e9df2bf6334
Instruction ID: d2103dd28191303bdb56847e7600b3f68f609d41326df0b6bf2fb64e8d0a5f16
Opcode Fuzzy Hash: ae98c4ceb0c9d5c17344b3bab5f71a40d8ff826ddd98e59a95e69e9df2bf6334
Instruction Fuzzy Hash: CB414C71900205EBDF14AF64DC85AAA7BB9FF04310F1440A9ED04EA297DB70DEA5DBB4

Function 00D381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CFF3AB,00000000,?,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00D3824C
EnableWindow.USER32(?,00000000), ref: 00D38272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D382D1
ShowWindow.USER32(?,00000004), ref: 00D382E5
EnableWindow.USER32(?,00000001), ref: 00D3830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D3832F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ff304004494824cfc8796788594f8583ea073a04add3fe20b338e00038619c97
Instruction ID: a2295e4b097e3b518d5a8dd074473de6706daf65f8af990c985d572e69c08675
Opcode Fuzzy Hash: ff304004494824cfc8796788594f8583ea073a04add3fe20b338e00038619c97
Instruction Fuzzy Hash: F9418238601744AFDB11CF15CC99BA57BE0BB0A715F185269FA189B362CB31A841DF74

Function 00D04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D04C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D04CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D04CEA
_wcslen.LIBCMT ref: 00D04D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D04D10
_wcsstr.LIBVCRUNTIME ref: 00D04D1A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 922f4936421106d9ef89ef00a429720105388cca8221d9a00ed40647e06d308c
Instruction ID: 5995524bce0c381c5b3413c5682a2d18134a55fa23be86879e596bfceecec5bc
Opcode Fuzzy Hash: 922f4936421106d9ef89ef00a429720105388cca8221d9a00ed40647e06d308c
Instruction Fuzzy Hash: 6921D4B2204240BBEB259B39EC4AF7B7B9CDF45750F14802DF909DA2A1EA61DD0197B0

Function 00D1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

_wcslen.LIBCMT ref: 00D1587B
CoInitialize.OLE32(00000000), ref: 00D15995
CoCreateInstance.OLE32(00D3FCF8,00000000,00000001,00D3FB68,?), ref: 00D159AE
CoUninitialize.OLE32 ref: 00D159CC

Strings

.lnk, xrefs: 00D15876, 00D158C1, 00D15985

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 7bd587caa5edc882d74522164b9b1a127df28e99b835724ae23b68105ee87357
Instruction ID: 076d7c53523feeda9c2d3f293344d187d416ab1b93f8021b7603dec52f005cb8
Opcode Fuzzy Hash: 7bd587caa5edc882d74522164b9b1a127df28e99b835724ae23b68105ee87357
Instruction Fuzzy Hash: 1AD15370608701EFC704DF14E480A6ABBE1FF89714F148959F88A9B361DB35EC85CBA2

Function 00D0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D00FCA
Part of subcall function 00D00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D00FD6
Part of subcall function 00D00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D00FE5
Part of subcall function 00D00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D00FEC
Part of subcall function 00D00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D01002

GetLengthSid.ADVAPI32(?,00000000,00D01335), ref: 00D017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D017BA
HeapAlloc.KERNEL32(00000000), ref: 00D017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D017DA
GetProcessHeap.KERNEL32(00000000,00000000,00D01335), ref: 00D017EE
HeapFree.KERNEL32(00000000), ref: 00D017F5

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a742ce3875973dea7758351765c9ca25ffa9c6ff28de0351bffdb39684190854
Instruction ID: 2a291171ac8d1fc9694d885c7ee68287bde9428875b6937df7560ee1425c6373
Opcode Fuzzy Hash: a742ce3875973dea7758351765c9ca25ffa9c6ff28de0351bffdb39684190854
Instruction Fuzzy Hash: 33119736610305EBDB149FA4CC49BAE7BA9FB96355F144018F489E7290C736A944DB70

Function 00D014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D01506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D01515
CloseHandle.KERNEL32(00000004), ref: 00D01520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D0154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D01563

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b12637f4755c6b2e32c6af51da7ab4220d3fea1eb1921abc1454fc15db9ab110
Instruction ID: dc01bbda9795ac6e22d40afdf5c45d451fe2dee73d10ea0af39174eccd50f352
Opcode Fuzzy Hash: b12637f4755c6b2e32c6af51da7ab4220d3fea1eb1921abc1454fc15db9ab110
Instruction Fuzzy Hash: A4112676500249ABDF118FA8DD49BDE7BA9FF48748F084029FA09A21A0C375CE64DB70

Function 00CC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CC3379,00CC2FE5), ref: 00CC3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CC339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC33B7
SetLastError.KERNEL32(00000000,?,00CC3379,00CC2FE5), ref: 00CC3409

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f32ad5918b671c61bcb6949df4a82a826cfe0d2ebd52a3ab54520fbfbea7f4f8
Instruction ID: 774cd82d96fafb0d16c17ed50716a410c45269ff50fee2ca6633811507e8cbf8
Opcode Fuzzy Hash: f32ad5918b671c61bcb6949df4a82a826cfe0d2ebd52a3ab54520fbfbea7f4f8
Instruction Fuzzy Hash: 2301243261C3D1BEA7286774FC95F6A2A94EB0537A320822EF520C13F0EF554E0362A4

Function 00CD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD5686,00CE3CD6,?,00000000,?,00CD5B6A,?,?,?,?,?,00CCE6D1,?,00D68A48), ref: 00CD2D78
_free.LIBCMT ref: 00CD2DAB
_free.LIBCMT ref: 00CD2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CCE6D1,?,00D68A48,00000010,00CA4F4A,?,?,00000000,00CE3CD6), ref: 00CD2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CCE6D1,?,00D68A48,00000010,00CA4F4A,?,?,00000000,00CE3CD6), ref: 00CD2DEC
_abort.LIBCMT ref: 00CD2DF2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e981df1a4c95a2e72e38a1b2853886ba10e79255c175a3a363c3b3b24a197a37
Instruction ID: 27e093bb8263a0abcdb923a3e6caebe7ad2d8df6bf28789e9330835e843e2e99
Opcode Fuzzy Hash: e981df1a4c95a2e72e38a1b2853886ba10e79255c175a3a363c3b3b24a197a37
Instruction Fuzzy Hash: 1BF0CD315047006BC2123735BC06E1B25576FE27A1F244417F774D23D2EF64C901B271

Function 00D38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96A2
Part of subcall function 00CB9639: BeginPath.GDI32(?), ref: 00CB96B9
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D38A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D38A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D38A70
LineTo.GDI32(?,00000000,00000003), ref: 00D38A80
EndPath.GDI32(?), ref: 00D38A90
StrokePath.GDI32(?), ref: 00D38AA0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1d6162eb7ff96e4c8ac81dafe0294b5d134d1f46df6c4e0ce4938cb77eabc1b5
Instruction ID: 793be9a8e735f3a1ba004a2a5f1b866b28535fcec2c5ebc7046dc4fc2fab55f2
Opcode Fuzzy Hash: 1d6162eb7ff96e4c8ac81dafe0294b5d134d1f46df6c4e0ce4938cb77eabc1b5
Instruction Fuzzy Hash: 5611CC7600024DFFDB119F94DC48E9A7F6DEB04394F048011FA19992A1D7719D55DF70

Function 00D051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D05218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D05229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D05230
ReleaseDC.USER32(00000000,00000000), ref: 00D05238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D0524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D05261

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 60c1ac9d04359ac702d24d741653848bd5f51a3ac7cbc63ebc831c7cf5da0f08
Instruction ID: 4d0d6ca3ef160f4285d45088554748c0c5bee8eaff8088e1ab50000fe24df0a9
Opcode Fuzzy Hash: 60c1ac9d04359ac702d24d741653848bd5f51a3ac7cbc63ebc831c7cf5da0f08
Instruction Fuzzy Hash: 6B014F75A01718BBEB109BB59C49B5EBFB8EF48751F044065FA04E7391D6709800CFA0

Function 00CA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA1C22

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 509188e85aa1e674254545e1307ba7aa38d97b23f57ff0b9f8df1e9b2ad106b3
Instruction ID: c60a1872bd21924f459413a8547c5217f314be2134e2c22986853fb7c8f97dc6
Opcode Fuzzy Hash: 509188e85aa1e674254545e1307ba7aa38d97b23f57ff0b9f8df1e9b2ad106b3
Instruction Fuzzy Hash: A9016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00D0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D0EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D0EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D0EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB75

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7b877070ca9ba3bf0df01f026811fe72217610dd405e608274eb7b5bdc0268d3
Instruction ID: 51502012c48213b98661105c10e7e267d72a3b65d8485b45517608d5b4fe4122
Opcode Fuzzy Hash: 7b877070ca9ba3bf0df01f026811fe72217610dd405e608274eb7b5bdc0268d3
Instruction Fuzzy Hash: D1F03A72250258BBE7215B629C0EEEF3A7CEFCAB11F005158F601E12A1D7A05A01D7B5

Function 00CF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CF7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CF7469
GetWindowDC.USER32(?), ref: 00CF7475
GetPixel.GDI32(00000000,?,?), ref: 00CF7484
ReleaseDC.USER32(?,00000000), ref: 00CF7496
GetSysColor.USER32(00000005), ref: 00CF74B0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3ac0e1bc85ffa09283a60b023ac6e26c9dadf150b848529214d535bd645644c9
Instruction ID: 9bd3520be954a6e5d1fa44c0ab259cb43c9e29a462735e61a0b36879924a01d6
Opcode Fuzzy Hash: 3ac0e1bc85ffa09283a60b023ac6e26c9dadf150b848529214d535bd645644c9
Instruction Fuzzy Hash: 24012831410619EFEB515FA4DC09BAA7BB5FB04311F511164FA25E22B1CB311E51EF61

Function 00D01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D0187F
UnloadUserProfile.USERENV(?,?), ref: 00D0188B
CloseHandle.KERNEL32(?), ref: 00D01894
CloseHandle.KERNEL32(?), ref: 00D0189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D018A5
HeapFree.KERNEL32(00000000), ref: 00D018AC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ca9537a4e9af77d9ad471cef2e416d76d2ef22ecfb78e22a75f40258ee700e9d
Instruction ID: 2a81f2267b3e70c2af33791e4fa24d5fd91ec7df70d6543333ea38adf6d45be4
Opcode Fuzzy Hash: ca9537a4e9af77d9ad471cef2e416d76d2ef22ecfb78e22a75f40258ee700e9d
Instruction Fuzzy Hash: C7E0E576114301BBDB015FA1ED0C90ABF39FF59B22B109220F225E1270CB329430EF60

Function 00D0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D0C6EE
_wcslen.LIBCMT ref: 00D0C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D0C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D0C7CA

Strings

0, xrefs: 00D0C6AF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c9121b02c047d15e05fb16317853b765ef3367d7549052e59814f9636079ceb5
Instruction ID: bff68fd031d1fe04459d976a9827f0499d9a65bf6a32f1e79d4a222c063f9158
Opcode Fuzzy Hash: c9121b02c047d15e05fb16317853b765ef3367d7549052e59814f9636079ceb5
Instruction Fuzzy Hash: B751B1716243019BD7259F28C885B6B77E8AF85314F082B2DF999D32E0EB70D9059B72

Function 00D0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D07206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D0723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D0724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D072CF

Strings

DllGetClassObject, xrefs: 00D07242

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b271808846749c84d469998942c1ed74800927cb24c58f25a5fb2fba83cc61bf
Instruction ID: e3768a7272bbf0953397218f91b29fdbc5a9f3c5a37acd2e063531aa4728f037
Opcode Fuzzy Hash: b271808846749c84d469998942c1ed74800927cb24c58f25a5fb2fba83cc61bf
Instruction Fuzzy Hash: 73413BB1E04204AFDB15CF64C884B9A7BA9EF44310F1580A9BD099F28AD7B1ED45DBB4

Function 00D33D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D33E35
IsMenu.USER32(?), ref: 00D33E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D33E92
DrawMenuBar.USER32 ref: 00D33EA5

Strings

0, xrefs: 00D33D89

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 27dfc4b6aa8a2a3d4fad9d074cc4c0144572bb3f9dcc399b3738d50f9a143899
Instruction ID: 99c3ed3e848fae70d937adf9537e3e754ff999ff2180c4fadd0a8607d7c974ff
Opcode Fuzzy Hash: 27dfc4b6aa8a2a3d4fad9d074cc4c0144572bb3f9dcc399b3738d50f9a143899
Instruction Fuzzy Hash: C44165B5A00249AFDB10DF64D984EAABBB9FF48350F084229F915AB350D730EE41CF60

Function 00D01DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D01E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D01E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D01EA9

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Strings

ComboBox, xrefs: 00D01DF0
ListBox, xrefs: 00D01E25

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 32f05e4a5815164dbb5281a1e236de4c70862a238fb6e48cfa3fc4ca2891f066
Instruction ID: a058f2fc7a654b6e3137a04a6e68e9c4553adb0d2bc7a8af622c0d57a47e8e5a
Opcode Fuzzy Hash: 32f05e4a5815164dbb5281a1e236de4c70862a238fb6e48cfa3fc4ca2891f066
Instruction Fuzzy Hash: 5221D875A00104BFDB14AB64DC46DFFB7B9EF46364F144119F829A72E1DB34490AA730

Function 00D32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D32F8D
LoadLibraryW.KERNEL32(?), ref: 00D32F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D32FA9
DestroyWindow.USER32(?), ref: 00D32FB1

Strings

SysAnimate32, xrefs: 00D32F68

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 97486f1dae90cc57ee38fd726fcbf68587161be5dd173d7dd95c74e4d98f3954
Instruction ID: f374eaba48fe0de8807ed7c3de9b604d7a87f8e0b0c896fed16a0dc6d639c48e
Opcode Fuzzy Hash: 97486f1dae90cc57ee38fd726fcbf68587161be5dd173d7dd95c74e4d98f3954
Instruction Fuzzy Hash: DF21AC72A04209ABEB104F66DC81EBB77B9EF59368F140228FA50E22A0D771DC919770

Function 00CC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CC4D1E,00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002), ref: 00CC4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CC4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CC4D1E,00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000), ref: 00CC4DC3

Strings

mscoree.dll, xrefs: 00CC4D86
CorExitProcess, xrefs: 00CC4D98

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a37f1785eae4daf5f2553776f6fa061c3c51939c9555b8ab710e5ad873fd9cfe
Instruction ID: dbaa1617779cb4faf79125ededa5c62f5ea4de1e89efe2590f9c3a4ee97928b6
Opcode Fuzzy Hash: a37f1785eae4daf5f2553776f6fa061c3c51939c9555b8ab710e5ad873fd9cfe
Instruction Fuzzy Hash: EFF04F35A50308BBDB159F90DC49FADBFB5EF44751F0041A8F906E2260CB705A44DBE1

Function 00CFD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00CFD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CFD3BF
FreeLibrary.KERNEL32(00000000), ref: 00CFD3E5

Strings

X64, xrefs: 00CFD2A8
GetSystemWow64DirectoryW, xrefs: 00CFD3B9

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 4aba517fd10991d77468d0740e9f5dc867178d65095abb1e1d09bfdfae53f129
Instruction ID: 9996c3edc682493d97e48cd21357732e97043378d829cc6d477771f627d050b8
Opcode Fuzzy Hash: 4aba517fd10991d77468d0740e9f5dc867178d65095abb1e1d09bfdfae53f129
Instruction Fuzzy Hash: 68F020358067289BE7F11B118C489793221AF00B01F519148EB13F2224DB20CE48ABE3

Function 00CA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CA4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00CA4EA8
kernel32.dll, xrefs: 00CA4E94

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: dabe7110163c6e9b30b1beac8e410e7ed59be267503943751a16c5737c4f640c
Instruction ID: 6016597591e8e7fb7522552a87e7828c9e8282217169146ed9b1480157a6974b
Opcode Fuzzy Hash: dabe7110163c6e9b30b1beac8e410e7ed59be267503943751a16c5737c4f640c
Instruction Fuzzy Hash: 9BE08C36A127235B92221B25AC18A6BA658AFC2B66B090115FC01F2240DBA0CE0692F1

Function 00CA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CA4E74
FreeLibrary.KERNEL32(00000000,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CA4E6E
kernel32.dll, xrefs: 00CA4E5B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d78241873623b0ec02900c74663c8e7f46fa58bdb99ba3a1f09053497a4e1ebe
Instruction ID: c7007111b1ffd2ad23836e76d64fd140578782d830959a9074938dee15e984d5
Opcode Fuzzy Hash: d78241873623b0ec02900c74663c8e7f46fa58bdb99ba3a1f09053497a4e1ebe
Instruction Fuzzy Hash: 46D012365127225B56261B257C1CD8BAA58AFC6B553051515B915F2254CFA0CE0196F0

Function 00D12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12C05
DeleteFileW.KERNEL32(?), ref: 00D12C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D12C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12CC0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0ec635a52fba95678a059d471db889cee11e28dcb3f96434bf2fc8d90a6a9bb4
Instruction ID: 76ffd07998001f5910d26348173bb80dd025bb16cc9228c8f25ea7439038fea1
Opcode Fuzzy Hash: 0ec635a52fba95678a059d471db889cee11e28dcb3f96434bf2fc8d90a6a9bb4
Instruction Fuzzy Hash: 35B16D71900119BBDF21DBA4DD85EEEB7BDEF09350F0040AAF609E6141EA319A949FB0

Function 00D2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D2A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D2A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D2A468
CloseHandle.KERNEL32(?), ref: 00D2A63D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8e2fef2ee6efe6a353f316522075a7aae3e24c033a97c813af09d7d22aa114f2
Instruction ID: 9e7685ceb8ab68eccb4a0d4a92dd426865cf4292ed0d70dc9aaeb8a291f50ccf
Opcode Fuzzy Hash: 8e2fef2ee6efe6a353f316522075a7aae3e24c033a97c813af09d7d22aa114f2
Instruction Fuzzy Hash: F8A1BF716047019FD720DF28D882F2AB7E1EF94718F18881DF59A9B392D7B0EC418B92

Function 00CDBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D43700), ref: 00CDBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CDBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D71270,000000FF,?,0000003F,00000000,?), ref: 00CDBC36
_free.LIBCMT ref: 00CDBB7F

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDBD4B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 45c1b52a0b28d54db202e8f09f55bde5f7189dcb4bc15c4ceccfb2d55003895c
Instruction ID: 90fc5ad709cf8d55de2938bf1b0779f234a922c24b2692997c740210ed137b3a
Opcode Fuzzy Hash: 45c1b52a0b28d54db202e8f09f55bde5f7189dcb4bc15c4ceccfb2d55003895c
Instruction Fuzzy Hash: 5D51A775900309EFCB10EF69DC429AEB7B8FF44350B11426BE664D73A1EB709E41AB64

Function 00D0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D0CF22,?), ref: 00D0DDFD

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D0CF22,?), ref: 00D0DE16

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D0E473
MoveFileW.KERNEL32(?,?), ref: 00D0E4AC
_wcslen.LIBCMT ref: 00D0E5EB
_wcslen.LIBCMT ref: 00D0E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D0E650

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 65039d138b73118410cbb0bd78509b51f21cd62088231e1fcd0e5827436f7f9f
Instruction ID: 2f3231109560774d10c89bc8c170eb8b82a71720f86778278358ebb500bc9170
Opcode Fuzzy Hash: 65039d138b73118410cbb0bd78509b51f21cd62088231e1fcd0e5827436f7f9f
Instruction Fuzzy Hash: 0E515DB24083459BC724EB90D885ADBB3ECEF85344F04492EE589D3191EE75E6888776

Function 00D2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D2BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D2BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D2BBB3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 06ea4c7b1a8509bcb58b603a9e602c7e02bedcd968fcbbb68465a59478d4f33a
Instruction ID: 6860fc62510c74813bd03d92603b2e4941a5b0ee43f0bab088ae384ff9c7354d
Opcode Fuzzy Hash: 06ea4c7b1a8509bcb58b603a9e602c7e02bedcd968fcbbb68465a59478d4f33a
Instruction Fuzzy Hash: C761C131208241AFC314DF24D491E2ABBE5FF8531CF18859DF4998B2A2CB71ED45CBA2

Function 00D08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D08BCD
VariantClear.OLEAUT32 ref: 00D08C3E
VariantClear.OLEAUT32 ref: 00D08C9D
VariantClear.OLEAUT32(?), ref: 00D08D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D08D3B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4365a203392ebd9bcdeeec561f59c061453d597604926dc0cb683991783aa5b3
Instruction ID: b594b44ee96fd3673e31e7b2fcd025eb534d718c677cf23cf67d17815a06722f
Opcode Fuzzy Hash: 4365a203392ebd9bcdeeec561f59c061453d597604926dc0cb683991783aa5b3
Instruction Fuzzy Hash: 18517BB5A10219EFCB10CF68C884AAAB7F8FF89310B158559F949DB350E730E911CFA0

Function 00D18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D18BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D18BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D18C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D18C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D18C5F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6fa1f2831a447e220eab673b7972829d0486f8e08b0fd89bee65070560a804d9
Instruction ID: d5ac5d38e2ca0e0dc86a5d26f2891d3f2620a17dd400e4d01a54d80745da5391
Opcode Fuzzy Hash: 6fa1f2831a447e220eab673b7972829d0486f8e08b0fd89bee65070560a804d9
Instruction Fuzzy Hash: C5513D35A00215EFCB05DF64C881AAEBBF5FF49314F088458E849AB362DB35ED51DBA0

Function 00D28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D28F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D28FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D28FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D29032
FreeLibrary.KERNEL32(00000000), ref: 00D29052

Part of subcall function 00CBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D11043,?,761DE610), ref: 00CBF6E6
Part of subcall function 00CBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CFFA64,00000000,00000000,?,?,00D11043,?,761DE610,?,00CFFA64), ref: 00CBF70D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0af289bc0413c090767f1c9778ca2ff79e760a84c9eba991badf50da6f33f42b
Instruction ID: f52c133e1ea2768cca703656777bd3e0413012951488eaec977016bbf38c0873
Opcode Fuzzy Hash: 0af289bc0413c090767f1c9778ca2ff79e760a84c9eba991badf50da6f33f42b
Instruction Fuzzy Hash: A8515E35601215DFC711DF54C5958ADBBF1FF59318F088099E805AB362DB31ED85DBA0

Function 00D36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D36C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D36C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D36C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D1AB79,00000000,00000000), ref: 00D36C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D36CC7

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2a7465e6e28db5f54778f2015787dc2fdd14efac40cc266f0b4ba78f1dbe830c
Instruction ID: 4f9e81a9a51a62041db956ad65b480f31603c7d9619a59880927e565b69a7019
Opcode Fuzzy Hash: 2a7465e6e28db5f54778f2015787dc2fdd14efac40cc266f0b4ba78f1dbe830c
Instruction Fuzzy Hash: F641A135604204BFDB24CF28CC59FA9BFA5EB09350F189268F999E73A0C371ED41DA60

Function 00CD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD20C3
_free.LIBCMT ref: 00CD20E3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 633b5991d2840a0a663d5e598aeee0a45e444b72e728eea3f8ef59689c430909
Instruction ID: 5cb37b8d6af40b88971b676091959f3577f62561bc258645c896fc444b9b5ac7
Opcode Fuzzy Hash: 633b5991d2840a0a663d5e598aeee0a45e444b72e728eea3f8ef59689c430909
Instruction Fuzzy Hash: 6441C532A00200AFCB24DF78C981A6DB7F5EF99314F1585AAE615EB395D731EE01DB90

Function 00CB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CB9141
ScreenToClient.USER32(00000000,?), ref: 00CB915E
GetAsyncKeyState.USER32(00000001), ref: 00CB9183
GetAsyncKeyState.USER32(00000002), ref: 00CB919D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5d0ab9c641882ccdcb0ed90c0e4fe432b4055e9b85a4ec7df3c3b07632ff549e
Instruction ID: 6e4b7998e2bfbff69254cfc82cbfb9ff9a1458e98c9e4647f4f3ab002884c378
Opcode Fuzzy Hash: 5d0ab9c641882ccdcb0ed90c0e4fe432b4055e9b85a4ec7df3c3b07632ff549e
Instruction Fuzzy Hash: F9414F71A0861AFBDF159F68C848BFEB774FF05320F208319E529A7290C7346A54DBA1

Function 00D13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D13922
TranslateMessage.USER32(?), ref: 00D1394B
DispatchMessageW.USER32(?), ref: 00D13955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D13966

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cd7dea54140cb41aa2f96caa1dad567bb5877a196bda01dfe46c7f79cc26232a
Instruction ID: 5c1d365670e9578d120a92dd9ba0c16dbe322310d69df4d022365c6aa24c92a7
Opcode Fuzzy Hash: cd7dea54140cb41aa2f96caa1dad567bb5877a196bda01dfe46c7f79cc26232a
Instruction Fuzzy Hash: 15318874504341BEEB35CB38B849BF63BA4EB05304F080669E4A6D6290EBB496C5CF71

Function 00D1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D1CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFF2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 08af026577cb719d7687436843c0cab57a3387678fc3b39e17010bacadf83672
Instruction ID: fe6017d6206f9cb5125fd065b162e56bb0e3e9c9b41caf936106685594351893
Opcode Fuzzy Hash: 08af026577cb719d7687436843c0cab57a3387678fc3b39e17010bacadf83672
Instruction Fuzzy Hash: 29315A71555305BFDB20DFA5E884AABBBF9EF14310B14542EF516E2240EB30EE829B70

Function 00D01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D01915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D019E2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f8ec66b58def82654fc39190000cc120b195f5cc7e8e2c4f52df6109fd7b351e
Instruction ID: 68b18c8fac297497bd7bca5efca5927f30533d8f01b4497f4c65276cc4d32148
Opcode Fuzzy Hash: f8ec66b58def82654fc39190000cc120b195f5cc7e8e2c4f52df6109fd7b351e
Instruction Fuzzy Hash: 88319C75A00219EFCB00CFA8DD99BDE3BB5EB05315F144229F965E72D1C7709944DBA0

Function 00D35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D35745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D3579D
_wcslen.LIBCMT ref: 00D357AF
_wcslen.LIBCMT ref: 00D357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D35816

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e3239d4b75e1f22b9cdd51a82afd326a8b77c5c6ac18ce18732d3ec85df82a6a
Instruction ID: a5ce9f790be53cc4f6e307e72f64b673095f3129dd2491c40e01cc532b253cba
Opcode Fuzzy Hash: e3239d4b75e1f22b9cdd51a82afd326a8b77c5c6ac18ce18732d3ec85df82a6a
Instruction Fuzzy Hash: DC21A571904618DADB208F64EC85AED77B8FF05320F148216E919EA284D770C985CF70

Function 00D20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D20951
GetForegroundWindow.USER32 ref: 00D20968
GetDC.USER32(00000000), ref: 00D209A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D209B0
ReleaseDC.USER32(00000000,00000003), ref: 00D209E8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 652bcbec2064d793c62cf7c763af27df9656ebd5132a0c99df8fc766d58fdbe4
Instruction ID: 50840dea883d88d993d5ef81c64ca6c4910505f1dc59afccf71074be5d4f9e08
Opcode Fuzzy Hash: 652bcbec2064d793c62cf7c763af27df9656ebd5132a0c99df8fc766d58fdbe4
Instruction Fuzzy Hash: 83216F35A00214AFD704EF69D885AAEBBE9EF45704F048068F84AE7762CB30EC44DB60

Function 00CDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CDCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDCDE9

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CDCE0F
_free.LIBCMT ref: 00CDCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDCE31

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f294e641565c33c54303c021ce63ebab68dc519727d3574dc7ebcc25d8475433
Instruction ID: f4ccee8bfd43d1fde4375063ed2fc6f1b5539412da56ecc7a455988c3a57b4ca
Opcode Fuzzy Hash: f294e641565c33c54303c021ce63ebab68dc519727d3574dc7ebcc25d8475433
Instruction Fuzzy Hash: 640184B26013167F272116BB6CC8D7BBA6DDEC6BA1315012BFA15D7701EA618E01E2B0

Function 00CB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
SelectObject.GDI32(?,00000000), ref: 00CB96A2
BeginPath.GDI32(?), ref: 00CB96B9
SelectObject.GDI32(?,00000000), ref: 00CB96E2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 73f19f14f871451f53f431c5b1c17d1c276cd8c4d4e085eb7cb7786820db93ae
Instruction ID: cfdda9bf872d8f56d48dddc2aad32cc7bd35a49b97d94753b661a6ad366238c1
Opcode Fuzzy Hash: 73f19f14f871451f53f431c5b1c17d1c276cd8c4d4e085eb7cb7786820db93ae
Instruction Fuzzy Hash: F8217F35812305EBDB119F29DC197E97BB8FB10355F100316F628E62B0E3709996DFA0

Function 00D05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D05726
_memcmp.LIBVCRUNTIME ref: 00D05744
_memcmp.LIBVCRUNTIME ref: 00D05757
_memcmp.LIBVCRUNTIME ref: 00D0576F
_memcmp.LIBVCRUNTIME ref: 00D05787

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2bf01e8cb456f56bb2d309baee88e8ab706d38f0c82a9602ac630cdc19e414a6
Instruction ID: e179099bd8a9f403cd3a0a1fd6f8d5bb254a7dae10daa45c573b58a424cb4738
Opcode Fuzzy Hash: 2bf01e8cb456f56bb2d309baee88e8ab706d38f0c82a9602ac630cdc19e414a6
Instruction Fuzzy Hash: 3101BE61641609BFD7189611EE81FBB735C9FA2358F1C4024FD0C5A1C5F760ED14A6B1

Function 00CD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6), ref: 00CD2DFD
_free.LIBCMT ref: 00CD2E32
_free.LIBCMT ref: 00CD2E59
SetLastError.KERNEL32(00000000,00CA1129), ref: 00CD2E66
SetLastError.KERNEL32(00000000,00CA1129), ref: 00CD2E6F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f63c696287517817bcb34d6c6b4012c19a27fe690e4975b6f0bfe2d8620e7edb
Instruction ID: ded48248167df5121d10be0891f46440f75f78f2abb7d452d11ea624c4c8fc7c
Opcode Fuzzy Hash: f63c696287517817bcb34d6c6b4012c19a27fe690e4975b6f0bfe2d8620e7edb
Instruction Fuzzy Hash: 2F01D1326057006B861227356C45D2B2759ABE13A3B24442BF775E2792EAA4CD016130

Function 00D0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?,?,00D0035E), ref: 00D0002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?), ref: 00D00064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00070

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 26c4818e630c48796a4255c4cca3c53834892f726200da86d06c77f836a21ab8
Instruction ID: 9a704889ea81dc86bf5a909d37aca91db5250af712eb2cb972f2db9e6223a87a
Opcode Fuzzy Hash: 26c4818e630c48796a4255c4cca3c53834892f726200da86d06c77f836a21ab8
Instruction Fuzzy Hash: 2D018F76610304BFDB104F68DC08BAA7EADEB48792F145124F909E2250DB71DE408BB0

Function 00D010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a037454f72b31d6b2349edce8019a0f03e3b193a09ebdd1fcddee65763679665
Instruction ID: d818a71aa53f9ed42daf077cdb7a2743b85444cc7cdc2adb76691de38fad9d7a
Opcode Fuzzy Hash: a037454f72b31d6b2349edce8019a0f03e3b193a09ebdd1fcddee65763679665
Instruction Fuzzy Hash: DC011979210315BFDB154FA5DC49A6A3B6EEF893A0B244419FA49E73A0DA31DC009B70

Function 00D00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D00FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D00FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D00FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D00FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D01002

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ae44524099765b2b52c5ddb3765836f9e758c572fcea9754191346a049409459
Instruction ID: fde9e87755b6bec3d6e7c4f91bbadab9b2de530bd4a500df23392c733f4e48ca
Opcode Fuzzy Hash: ae44524099765b2b52c5ddb3765836f9e758c572fcea9754191346a049409459
Instruction Fuzzy Hash: AAF04939210302ABDB224FA49C4AF5A3BADEF89762F144414FA89E7391CA70DC508B70

Function 00D01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D0102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D01036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01062

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5f8892fa2ab18bf55f5c3850bcc32059cc18b32e071c90f6451773f895df3d9d
Instruction ID: 952c53ef3ead99a5fe1467449a917d66fa50d8203abb71546d8f43cb0c5270f1
Opcode Fuzzy Hash: 5f8892fa2ab18bf55f5c3850bcc32059cc18b32e071c90f6451773f895df3d9d
Instruction Fuzzy Hash: E2F06D39210301EBDB215FA4EC4AF563BADEF89761F140418FA89E7390CA70D8508B70

Function 00D1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10324
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10331
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D1033E
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D1034B
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10358
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10365

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7c02d725690dffe70a213d9a16980f75ba7841f11d2855dddc842dea5a09bee1
Instruction ID: 9a19aef2626f04e0ba42911a41c4e0e59c478513f481c60b2c17b61bc4342328
Opcode Fuzzy Hash: 7c02d725690dffe70a213d9a16980f75ba7841f11d2855dddc842dea5a09bee1
Instruction Fuzzy Hash: 7401A272800B15AFC730AF66E880452FBF9BF503153198A3FD1A652931C7B1A995DF90

Function 00CDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDD752

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDD764
_free.LIBCMT ref: 00CDD776
_free.LIBCMT ref: 00CDD788
_free.LIBCMT ref: 00CDD79A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 121bb96e487f32cfac66901736bfa74da37ae2f3b75630302f2fecf794591731
Instruction ID: 07c47b4cfcfc2669e4e56b88127c269f35b40e47b4a79780e4b1ce3e47abf65c
Opcode Fuzzy Hash: 121bb96e487f32cfac66901736bfa74da37ae2f3b75630302f2fecf794591731
Instruction Fuzzy Hash: D6F09632950304AB8621FB64F9C1C2677DDBB44310B951C47F2A9D7705C730FC809A70

Function 00D05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D05C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D05C6F
MessageBeep.USER32(00000000), ref: 00D05C87
KillTimer.USER32(?,0000040A), ref: 00D05CA3
EndDialog.USER32(?,00000001), ref: 00D05CBD

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 817360b744b80f63ea25731d489f3cba832025a703153af05a36dd5dda2e6dd4
Instruction ID: 47ce51fec2d8491a0bfe1201125f2b5650420dd3135ee55e5d20bd7940acf3af
Opcode Fuzzy Hash: 817360b744b80f63ea25731d489f3cba832025a703153af05a36dd5dda2e6dd4
Instruction Fuzzy Hash: 0A016D31510B04ABFB215B10EE4FFA67BB8BB00B05F042559A987B11E1DBF4A984CFA4

Function 00CD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD22BE

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CD22D0
_free.LIBCMT ref: 00CD22E3
_free.LIBCMT ref: 00CD22F4
_free.LIBCMT ref: 00CD2305

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 640d16d9d53646841d2c3c1e9b74d5e7045d01e285000f85d1d92d996953a7d1
Instruction ID: 5c7ecf497af1a8b4224326145596209b74f16681b7a3a84e43301159dc436b55
Opcode Fuzzy Hash: 640d16d9d53646841d2c3c1e9b74d5e7045d01e285000f85d1d92d996953a7d1
Instruction Fuzzy Hash: 31F03A74810320CB8622BF68BC128187F64BB28760700160BF618D33B2EB700991BBB8

Function 00CB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CB95D4
StrokeAndFillPath.GDI32(?,?,00CF71F7,00000000,?,?,?), ref: 00CB95F0
SelectObject.GDI32(?,00000000), ref: 00CB9603
DeleteObject.GDI32 ref: 00CB9616
StrokePath.GDI32(?), ref: 00CB9631

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7052b8df5670a45896dbf1a9b43f20eb02deccf6895bb57e1e06ee4dfbef6438
Instruction ID: dac40fc6769256e10b86d0cbe731b8300a37ba115ef0986a1bd21749f256c3d8
Opcode Fuzzy Hash: 7052b8df5670a45896dbf1a9b43f20eb02deccf6895bb57e1e06ee4dfbef6438
Instruction Fuzzy Hash: 44F0B639016344EBDB265F69ED187A43B65EB01362F048314F679E52F0E7308A96DF31

Function 00CD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CD10F9
__freea.LIBCMT ref: 00CD1117

Part of subcall function 00CD1537: _free.LIBCMT ref: 00CD154F

Strings

am/pm, xrefs: 00CD117A
a/p, xrefs: 00CD11DE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e39da1a7d59c4f85fe88327ae11a42436c2382651e4642389584c8cbd722fbd0
Instruction ID: b50a6cfb02bc00edc6652b35965a438c09d4f8d9b1a2d2130ce8c823b6c9027e
Opcode Fuzzy Hash: e39da1a7d59c4f85fe88327ae11a42436c2382651e4642389584c8cbd722fbd0
Instruction Fuzzy Hash: 85D1D031900246EADB28AF69C855BBEB7B1EF05300F2C415BEF219B761D3759E80CB91

Function 00D27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CC0242: EnterCriticalSection.KERNEL32(00D7070C,00D71884,?,?,00CB198B,00D72518,?,?,?,00CA12F9,00000000), ref: 00CC024D
Part of subcall function 00CC0242: LeaveCriticalSection.KERNEL32(00D7070C,?,00CB198B,00D72518,?,?,?,00CA12F9,00000000), ref: 00CC028A

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00CC00A3: __onexit.LIBCMT ref: 00CC00A9

__Init_thread_footer.LIBCMT ref: 00D27BFB

Part of subcall function 00CC01F8: EnterCriticalSection.KERNEL32(00D7070C,?,?,00CB8747,00D72514), ref: 00CC0202
Part of subcall function 00CC01F8: LeaveCriticalSection.KERNEL32(00D7070C,?,00CB8747,00D72514), ref: 00CC0235

Strings

Variable must be of type 'Object'., xrefs: 00D27C3A
5, xrefs: 00D27C78
G, xrefs: 00D27C7F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 78065c6b17fe571eb59a1860678687b8a61d5fee6868ac84254f16d559ad05bc
Instruction ID: ea3ff171e32484dde63211f58f7a32767b38ea00b43d026e8c6aa42f851bca72
Opcode Fuzzy Hash: 78065c6b17fe571eb59a1860678687b8a61d5fee6868ac84254f16d559ad05bc
Instruction Fuzzy Hash: 0091AC70A04219EFCB24EF54E881DADB7B1FF55308F148059F846AB292DB31AE45DB71

Function 00D02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021D0,?,?,00000034,00000800,?,00000034), ref: 00D0B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D02760

Part of subcall function 00D0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D0B3F8

Part of subcall function 00D0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D0B355
Part of subcall function 00D0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B365
Part of subcall function 00D0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D0281A

Strings

@, xrefs: 00D02832

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d05331d6d84fbf2828d69e3ecbbbad90db1bca363f615f2fb35bc90643789fb0
Instruction ID: 3d3cd7f8284dbcbd068e7c523539ec90ffeffa25299d3d829cda246412052f4d
Opcode Fuzzy Hash: d05331d6d84fbf2828d69e3ecbbbad90db1bca363f615f2fb35bc90643789fb0
Instruction Fuzzy Hash: EF412B76901218AFDB10DFA4CD86BEEBBB8EF09310F148055FA59B7191DB706E45CBA0

Function 00CD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00CD1769
_free.LIBCMT ref: 00CD1834
_free.LIBCMT ref: 00CD183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00CD1760, 00CD1767, 00CD1796, 00CD17CE

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3417719964
Opcode ID: 79e7b51217b91eb6b308d6476d73db104f33e570ba66e5b4c7b1adb8dbb2761c
Instruction ID: 795ef62424904a9a78c24a1808206e1b89789b377a4b39208e965ba09969e18d
Opcode Fuzzy Hash: 79e7b51217b91eb6b308d6476d73db104f33e570ba66e5b4c7b1adb8dbb2761c
Instruction Fuzzy Hash: 75319175A00208FBDB21DF99DC85D9EBBFCEB85310B19416BFA04D7351E6708A40EBA0

Function 00D0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D0C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D0C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D71990,016453F8), ref: 00D0C395

Strings

0, xrefs: 00D0C2DF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 383f56fb9084f34b178d9727c78668b35165a10272b85b5c4340c7e948dcc667
Instruction ID: bcd42ea82c81dbf48de4a2d9a4981f75b107712143ad6570c6f2e0a6f964a3a2
Opcode Fuzzy Hash: 383f56fb9084f34b178d9727c78668b35165a10272b85b5c4340c7e948dcc667
Instruction Fuzzy Hash: 33417C312243029FD720DF25D885B5ABBA8EB85320F149B1EF9A9972D1D770A904CB72

Function 00D34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D3CC08,00000000,?,?,?,?), ref: 00D344AA
GetWindowLongW.USER32 ref: 00D344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D344D7

Strings

SysTreeView32, xrefs: 00D3447C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c33f98cb34699359307810443f50006ba5c51560a415573d1f0e0fcebf011abb
Instruction ID: 7d897c9bad34e6184374ab0ef1a3fe41ec684f272468f89a95cf6722defd6a9d
Opcode Fuzzy Hash: c33f98cb34699359307810443f50006ba5c51560a415573d1f0e0fcebf011abb
Instruction Fuzzy Hash: B4318D32210205AFDB209F38DC45BEA77A9EB09334F244725F975E22E0D7B4EC509760

Function 00D2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D23077,?,?), ref: 00D23378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
_wcslen.LIBCMT ref: 00D2309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D23106

Strings

255.255.255.255, xrefs: 00D23095, 00D2309A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e90d6dac6ff85d59865307209324a80b398a4dbc1f8b9fa7d4fc23ccb746e82a
Instruction ID: 6c22941f4c53e3917ae4582ae9e5b9ebf12fbcf77a5c550a37a5a45dac0ffdf3
Opcode Fuzzy Hash: e90d6dac6ff85d59865307209324a80b398a4dbc1f8b9fa7d4fc23ccb746e82a
Instruction Fuzzy Hash: 2231B0352043259FCB10CF68D586EAA77E0EF6531CF288059E9158B392DB7AEE41C770

Function 00D33EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D33F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D33F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D33F78

Strings

SysMonthCal32, xrefs: 00D33F0B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0fc154524f66b534e24a00a89e50665dc677e2ae2a76bb3037c7dfe4658fc770
Instruction ID: a96daaacaa707d11be42d1e548bccd56ec7bbf03f3fe50b1e0354a3528e34db1
Opcode Fuzzy Hash: 0fc154524f66b534e24a00a89e50665dc677e2ae2a76bb3037c7dfe4658fc770
Instruction Fuzzy Hash: E021BC32610219BFDF218F50CC46FEA3B79EF48724F150214FA19BB1D0D6B1A8908BA0

Function 00D34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D34705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D34713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D3471A

Strings

msctls_updown32, xrefs: 00D34684

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5cfab165068162f9da1252805a6d1f49e4a980d87e7719c24cecd47f345d4aba
Instruction ID: 68c7175d087163f3e3ee934903958c3aeb4c0006d300a7af2a5220361dd9ff9f
Opcode Fuzzy Hash: 5cfab165068162f9da1252805a6d1f49e4a980d87e7719c24cecd47f345d4aba
Instruction Fuzzy Hash: 42214AB5600209AFDB10DF68DC81DA637ADEB4A3A8B040159FA049B3A1DB74FC51DAB0

Function 00D095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0961D

Strings

#requireadmin, xrefs: 00D095D9
#notrayicon, xrefs: 00D095B7
#OnAutoItStartRegister, xrefs: 00D095F3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4b0c4c6b3258aba73fb3d8533576dfdcafa00f3a57b1e2117557abe5b793856e
Instruction ID: efc0c6f8d5a331405ccd8eb3db2fd5c01b3bc3f22ee815dcf89639e3397323b5
Opcode Fuzzy Hash: 4b0c4c6b3258aba73fb3d8533576dfdcafa00f3a57b1e2117557abe5b793856e
Instruction Fuzzy Hash: D42138725045116AC331AB25DC26FB7F398AF51310F58402AF98D971C2EB52DD46D2B5

Function 00D337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D33840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D33850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D33876

Strings

Listbox, xrefs: 00D3380F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: aa2bcd428f0e09b98fc61f51b0811775a4aca8dcabc2a6ee6a4e43364c76f81f
Instruction ID: 2df3893257a178b02770f687e22cc328790f7d71c2dc32b684669c55366504a2
Opcode Fuzzy Hash: aa2bcd428f0e09b98fc61f51b0811775a4aca8dcabc2a6ee6a4e43364c76f81f
Instruction Fuzzy Hash: 3A21A1B2610218BBEF218F54DC85FBB376EEF89764F158124F9449B190C671DC5287B0

Function 00D149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D14A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D14A5C
SetErrorMode.KERNEL32(00000000,?,?,00D3CC08), ref: 00D14AD0

Strings

%lu, xrefs: 00D14A6F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a4291e9e6e3452a3f806bc92a97ce2b2921400e30e11e4c0bc2f9534c255c5b4
Instruction ID: 4b5fe2a7864eacd42fea3e8b48ad397b9840df6e7e2edb5a890128aa31e1dfa9
Opcode Fuzzy Hash: a4291e9e6e3452a3f806bc92a97ce2b2921400e30e11e4c0bc2f9534c255c5b4
Instruction Fuzzy Hash: 02317F75A00209AFD710DF54C885EAA7BF8EF05308F148095F909DB252DB71ED45DB71

Function 00D341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D3424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D34264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D34271

Strings

msctls_trackbar32, xrefs: 00D34226

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0ba0fb3e5e55bff6f6f3054ead82a39dca2a7a4d1cf352edc583666bc3351fec
Instruction ID: 70eaf927afcb3a403a0765109d5c0ed4326c71dd97940b86b450c656e91a26de
Opcode Fuzzy Hash: 0ba0fb3e5e55bff6f6f3054ead82a39dca2a7a4d1cf352edc583666bc3351fec
Instruction Fuzzy Hash: 9711E031240308BFEF205E29CC06FAB3BACEF85B64F010224FA55E21A0D271E8519B34

Function 00D02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Part of subcall function 00D02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D02DC5
Part of subcall function 00D02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D02DD6
Part of subcall function 00D02DA7: GetCurrentThreadId.KERNEL32 ref: 00D02DDD
Part of subcall function 00D02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D02DE4

GetFocus.USER32 ref: 00D02F78

Part of subcall function 00D02DEE: GetParent.USER32(00000000), ref: 00D02DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D02FC3
EnumChildWindows.USER32(?,00D0303B), ref: 00D02FEB

Strings

%s%d, xrefs: 00D02FFF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 948b1408e5d8726e92d8dd3eeb3f0437d7339f86e1e20db71a56eaa136565823
Instruction ID: d2f46afb90eb980229adb20b783d7b6831cda9279a0181405ba9cf8100b1f40d
Opcode Fuzzy Hash: 948b1408e5d8726e92d8dd3eeb3f0437d7339f86e1e20db71a56eaa136565823
Instruction Fuzzy Hash: CD11AF71700205ABCF15BF649C8AFEE776AEF84304F085075B90DAB292DE3099499B70

Function 00D35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D358EE
DrawMenuBar.USER32(?), ref: 00D358FD

Strings

0, xrefs: 00D3588F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f1ac5815a37f5288876d02c00fea7f0ce3e43e3f01b2ccce8a2e616af7318055
Instruction ID: 1d6cca0e08f95b72883015f7fcda34752bb14af1448f56866782a6c3c957f93d
Opcode Fuzzy Hash: f1ac5815a37f5288876d02c00fea7f0ce3e43e3f01b2ccce8a2e616af7318055
Instruction Fuzzy Hash: 0D018031500258EFDB219F11EC44BEEBBB4FF45360F1480A9E849D6251DB308A94EF31

Function 00D0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd7a6c7f012c589099e06b5273bc4845e715195d7697f7318f6d15ab68e4a3
Instruction ID: 9de9c928f975dbb876698e99c807234a88c742e670fc9953d31a7e9871dba9fb
Opcode Fuzzy Hash: 11cd7a6c7f012c589099e06b5273bc4845e715195d7697f7318f6d15ab68e4a3
Instruction Fuzzy Hash: D5C12C75A0021AEFDB15CFA4C894BAEBBB5FF48704F148598E509EB291D731DE41CBA0

Function 00CD3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CD3F0B
__alldvrm.LIBCMT ref: 00CD410C
__alldvrm.LIBCMT ref: 00CD412E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f070da9b6c06490ec7bd9ded0a8e00e0c848c48fb16e2686bc654f989817c914
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 72A16871D003869FDB29CF58C8917AEBBE5EF61350F1841AFE7959B381C2349A81C751

Function 00D2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D23459
CoUninitialize.OLE32 ref: 00D23463
VariantInit.OLEAUT32(?), ref: 00D2346E
VariantClear.OLEAUT32(?), ref: 00D2371B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8d8a25052616ee97d67e6fe5f6c284eb8919761bd6334878bdea7699e8b68562
Instruction ID: fbe029226163988aae6b978e992a8d9408fd064b2c92ff29dd814c3bd2ff61b4
Opcode Fuzzy Hash: 8d8a25052616ee97d67e6fe5f6c284eb8919761bd6334878bdea7699e8b68562
Instruction Fuzzy Hash: 32A16F756043119FC700EF28D885A2AB7E5FF89718F04895DF98A9B362DB34ED01DBA1

Function 00D00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D00608
CLSIDFromProgID.OLE32(?,?,00000000,00D3CC40,000000FF,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D0062D
_memcmp.LIBVCRUNTIME ref: 00D0064E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b7495fe32ed8e2bf4967c2165866000b273dbcd158ab2ac3810905c2e3c80ab9
Instruction ID: 8b466de0a869d027d1c2e9debfd29009a4855856c5245400963f463f85e0c294
Opcode Fuzzy Hash: b7495fe32ed8e2bf4967c2165866000b273dbcd158ab2ac3810905c2e3c80ab9
Instruction Fuzzy Hash: 9181FE75A00109EFCB04DF94C988EEEBBB9FF89315F144558E516EB290DB71AE06CB60

Function 00CE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE14C0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 24767c41011c702e52f4ee4aafe382e24c09a2ab7ef4852a1affdf3219cb96bd
Instruction ID: f7d7d1ae325220629ea918f4d5b6bfaa6991662abdeeacf575a67228803eae90
Opcode Fuzzy Hash: 24767c41011c702e52f4ee4aafe382e24c09a2ab7ef4852a1affdf3219cb96bd
Instruction Fuzzy Hash: 31413E35A005906BDB216BBBCC45BBE3AA5EF41330F1C0269FD29D63D2E6348951B272

Function 00D36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D362E2
ScreenToClient.USER32(?,?), ref: 00D36315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D36382

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 12bff20eaf873191819b6db5503ea6cfcba56094cb309f60f02564744cc6b05c
Instruction ID: a337ce54117ba896861958941391c390a8db2e844435103407a3909a0b913b42
Opcode Fuzzy Hash: 12bff20eaf873191819b6db5503ea6cfcba56094cb309f60f02564744cc6b05c
Instruction Fuzzy Hash: E0510A75A00209EFDB10DF68D8819AE7BB5EB45360F188259F965DB2A0D730ED81CB60

Function 00D21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D21AFD
WSAGetLastError.WSOCK32 ref: 00D21B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D21B8A
WSAGetLastError.WSOCK32 ref: 00D21B94

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f2bb6c4a03ae3f1fc5934b2a01739cd906fb14d775aaf8abfbf09ed83eef5785
Instruction ID: 6ec5d5077b5272131ca9e34c9e8072470d6c325a01d22102ed00c7d51eb9a42c
Opcode Fuzzy Hash: f2bb6c4a03ae3f1fc5934b2a01739cd906fb14d775aaf8abfbf09ed83eef5785
Instruction Fuzzy Hash: 2541D138600201AFE720AF24D886F2A77E5AB55718F58C448F91A9F3D2D772DD41CBA0

Function 00CDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64f6a5505b1e893a14c63466c46314e97379ca3a7baa7abafe8bcdc78503561
Instruction ID: cda0bd4a16831265e780ecbc2e0f9e7f909cadb7b9ed31b1081ee468e9171e95
Opcode Fuzzy Hash: e64f6a5505b1e893a14c63466c46314e97379ca3a7baa7abafe8bcdc78503561
Instruction Fuzzy Hash: 9941D171A00244EFD724DF38C841BAABBE9EB88710F11452FF651DB382D7719A019790

Function 00D156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D15783
GetLastError.KERNEL32(?,00000000), ref: 00D157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D157FA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d1aaab5d3b268a853e4d410f2fa194aac51e17d9537d6b0cd8cdbc64c404a558
Instruction ID: 0e2c3154acc8cb66708041be3eb5cb5306e96b4877f0d616b647fc2acf26b939
Opcode Fuzzy Hash: d1aaab5d3b268a853e4d410f2fa194aac51e17d9537d6b0cd8cdbc64c404a558
Instruction Fuzzy Hash: 0A411F39600611DFCB11EF55D585A5EBBE2FF89314B198488E84AAB362CB34FD40DBA1

Function 00CDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CC6D71,00000000,00000000,00CC82D9,?,00CC82D9,?,00000001,00CC6D71,8BE85006,00000001,00CC82D9,00CC82D9), ref: 00CDD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CDD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CDD9AB
__freea.LIBCMT ref: 00CDD9B4

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 22f2b382b5eec745cdbc815481f827a0d7b972d7f6ac5783c550efc9c2a81abc
Instruction ID: 7faf747da9a2002988d929bd4ff96ec4bd38e358fca4c79b8081563979d99ddb
Opcode Fuzzy Hash: 22f2b382b5eec745cdbc815481f827a0d7b972d7f6ac5783c550efc9c2a81abc
Instruction Fuzzy Hash: 4531FE72A1020AABDF249F65DC91EBE7BA5EB40310F05016AFD15D7290EB36CE50DBA0

Function 00D352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D35352
GetWindowLongW.USER32(?,000000F0), ref: 00D35375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D35382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D353A8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: adf680affbd72d8f2609d049b067b95c5970c714d0d197ec708469a657bfab7d
Instruction ID: a18376eca604157c9ef1266e70a5341f715a6e73a611bd80de3b2be0d91d800b
Opcode Fuzzy Hash: adf680affbd72d8f2609d049b067b95c5970c714d0d197ec708469a657bfab7d
Instruction Fuzzy Hash: CC31C334A95A08EFEB309F54EC06BE83765EB053D0F5C4101FA51962E5C7B1AD80EB72

Function 00D0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00D0ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D0AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D0AC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00D0ACC6

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5921694d921020da725de9eabe25f2769fa2f6a9da02aaaefb841110e60be66b
Instruction ID: 69c9765a6b40b3b604393fbc8ecf60b9776fe9a7a1793e5cd1b55a2f3c7f1bd0
Opcode Fuzzy Hash: 5921694d921020da725de9eabe25f2769fa2f6a9da02aaaefb841110e60be66b
Instruction Fuzzy Hash: 07310734A04718AFFF35CB69CC097FE7BA5AB89310F09431AE48D962D1C3758985877A

Function 00D37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D3769A
GetWindowRect.USER32(?,?), ref: 00D37710
PtInRect.USER32(?,?,00D38B89), ref: 00D37720
MessageBeep.USER32(00000000), ref: 00D3778C

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5b51fff253dbac9df26f45cbc94ec69b1fa6bd2bb91d8c218a97e9bb783704f6
Instruction ID: a7e7b7517c306ed1e22019907278597f0f08dbf9d67dd790103e8d276135ae9c
Opcode Fuzzy Hash: 5b51fff253dbac9df26f45cbc94ec69b1fa6bd2bb91d8c218a97e9bb783704f6
Instruction Fuzzy Hash: 31419CB8605A14AFCB21CF58C895EA977F4FB49310F1841A8E524DB361D330E942CFB0

Function 00D316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D316EB

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

GetCaretPos.USER32(?), ref: 00D316FF
ClientToScreen.USER32(00000000,?), ref: 00D3174C
GetForegroundWindow.USER32 ref: 00D31752

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d6e7b22bf1bee106ff7cb56a96010d0b87db30a7f6a3bc1e5e0dc56c79be9fe8
Instruction ID: 8451a7a67ffe4380131ae7fd3e1195ded95e879980455a8cdd3c04a4ba1d55f4
Opcode Fuzzy Hash: d6e7b22bf1bee106ff7cb56a96010d0b87db30a7f6a3bc1e5e0dc56c79be9fe8
Instruction Fuzzy Hash: B33121B5D00249AFC704DFA9C881DAEB7FDEF49308B548069E415E7251D731DE45CBA0

Function 00D0DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

_wcslen.LIBCMT ref: 00D0DFCB
_wcslen.LIBCMT ref: 00D0DFE2
_wcslen.LIBCMT ref: 00D0E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00D0E018

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 2a90c58e9248df51e20b8aff303437be553725312f25dfb8321864c2ffc781cd
Instruction ID: 1022c953b93be3e2f128c6bfb6e584d239367b96cd97e30c80089632c783a41f
Opcode Fuzzy Hash: 2a90c58e9248df51e20b8aff303437be553725312f25dfb8321864c2ffc781cd
Instruction Fuzzy Hash: 7D218371900215AFCB209FA8D981BAEB7F8EF45750F148069F809BB385D6709E41DBB1

Function 00D0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D0D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D0D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D0D52F
CloseHandle.KERNEL32(00000000), ref: 00D0D5DC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 718d32b1c08a0cf83a624716c9aeea3c1241510954da51580404312bb58a12e9
Instruction ID: 0cc403b23023b19200f5f6bc90626b6333adc13047e4deeb2e5b1b9fe9f383d6
Opcode Fuzzy Hash: 718d32b1c08a0cf83a624716c9aeea3c1241510954da51580404312bb58a12e9
Instruction Fuzzy Hash: B83191721083019FD300EF64CC85BAFBBE8EF9A358F14092DF585961E1EB719945DBA2

Function 00D38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

GetCursorPos.USER32(?), ref: 00D39001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CF7711,?,?,?,?,?), ref: 00D39016
GetCursorPos.USER32(?), ref: 00D3905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CF7711,?,?,?), ref: 00D39094

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b724280f7d33b0b56683d51e90b144626d33fe0d03030d40b44ec930501547f5
Instruction ID: 6febfcf3a58037e3d795d3e2a8ef8a029e766f2808a8969ce8e792a1c773d0d2
Opcode Fuzzy Hash: b724280f7d33b0b56683d51e90b144626d33fe0d03030d40b44ec930501547f5
Instruction Fuzzy Hash: 5D21D135600218EFCB298FA8CC68EFABBB9EF49350F084155F90597261D3719990EB70

Function 00D0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D3CB68), ref: 00D0D2FB
GetLastError.KERNEL32 ref: 00D0D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D0D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D3CB68), ref: 00D0D376

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 84fe7038ce901278ec9adea052c51c1fb508f1cf92e838f707b9c4023189f44d
Instruction ID: cb3d848ac8845574e81ed7bf22e6a401ffc7d8ed81416e5e0e7ab5c14a1e370f
Opcode Fuzzy Hash: 84fe7038ce901278ec9adea052c51c1fb508f1cf92e838f707b9c4023189f44d
Instruction Fuzzy Hash: 0D21A1705093029FC700DFA8C88196BB7E4EE56368F544A1EF499D32E1D730D94ACBA3

Function 00D01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D0102A
Part of subcall function 00D01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D01036
Part of subcall function 00D01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01045
Part of subcall function 00D01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0104C
Part of subcall function 00D01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D015BE
_memcmp.LIBVCRUNTIME ref: 00D015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D01617
HeapFree.KERNEL32(00000000), ref: 00D0161E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f56aa0ba45121b4dae35286a5882b991bbbe83309d163d2e49ea035d322f675e
Instruction ID: d5ce3e44ec7419aafafe9457bacfdd62a530c2bb165ecac8ee4ed3edb9a64e0d
Opcode Fuzzy Hash: f56aa0ba45121b4dae35286a5882b991bbbe83309d163d2e49ea035d322f675e
Instruction Fuzzy Hash: 52217832E00208AFDB14DFA4CD49BEEB7B8EF44344F084459E449AB281E731AA45DBA0

Function 00D32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D3280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D32824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D32832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D32840

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e87eabe17dbb468a43683093dcaf82d8510b4be9a2faaa7fe2a611b0f5b5f160
Instruction ID: 36dad5dfa52540e9ac41b126f5cc85e0585585a6d4b9ffc93bab044e5a85c446
Opcode Fuzzy Hash: e87eabe17dbb468a43683093dcaf82d8510b4be9a2faaa7fe2a611b0f5b5f160
Instruction Fuzzy Hash: C121A131A05611AFD7149B24C855FBA7BA5EF45324F188158F466CB6E2C771FC42C7A0

Function 00D078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D0790A,?,000000FF,?,00D08754,00000000,?,0000001C,?,?), ref: 00D08D8C
Part of subcall function 00D08D7D: lstrcpyW.KERNEL32(00000000,?,?,00D0790A,?,000000FF,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D08DB2
Part of subcall function 00D08D7D: lstrcmpiW.KERNEL32(00000000,?,00D0790A,?,000000FF,?,00D08754,00000000,?,0000001C,?,?), ref: 00D08DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D07923
lstrcpyW.KERNEL32(00000000,?,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D07949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D07984

Strings

cdecl, xrefs: 00D0797B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: df3c257f722a75d17d4528c6900bf73f4f750a994bb7950ccf924bb6327d603d
Instruction ID: 4466659afdc102487063e6467e2234823562ab4f5e7c937ce8702609eebb3f18
Opcode Fuzzy Hash: df3c257f722a75d17d4528c6900bf73f4f750a994bb7950ccf924bb6327d603d
Instruction Fuzzy Hash: E211B43A600341AFCB155F34D845EBA77A9FF45350B54402AE94ACB3A4EB71D811DBB1

Function 00D37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D37D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D37D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D37D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D1B7AD,00000000), ref: 00D37D6B

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c1c803b10b84db20d3f646f3ee8b194363f563b92a6b06eae16aeb36601714c5
Instruction ID: d5fec4c01086028f394e7e785c56d51006ea8335b696b57b6c23220b6dcbae36
Opcode Fuzzy Hash: c1c803b10b84db20d3f646f3ee8b194363f563b92a6b06eae16aeb36601714c5
Instruction Fuzzy Hash: 2511DF72214A54EFCB208F28DC04AA63BA4AF45360F198324F939D72F0E730C952DB60

Function 00D35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D356BB
_wcslen.LIBCMT ref: 00D356CD
_wcslen.LIBCMT ref: 00D356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D35816

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8e3cee7695ab8403a1fe5e4efdf58eded2e4064fb7fc0dc11e9c32414fa13e97
Instruction ID: 1de56c36121b1cc5f402d2ae7ed4cb29e21f511457c8d8dfc8adde96e67541ca
Opcode Fuzzy Hash: 8e3cee7695ab8403a1fe5e4efdf58eded2e4064fb7fc0dc11e9c32414fa13e97
Instruction Fuzzy Hash: A9110075A00618A6DB20DF65EC82AEE37ACEF01760F14802AF905D6085EB70CA80CF70

Function 00CD1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91167e43004a3fd883f71c2e6166237d2896176683f9411582d4c894a04cc98b
Instruction ID: de08eed3570e99e06defa1b15a91bf6fc4fdfae91394eebc5c25ad352a9d7339
Opcode Fuzzy Hash: 91167e43004a3fd883f71c2e6166237d2896176683f9411582d4c894a04cc98b
Instruction Fuzzy Hash: DC014FB26097167EF62226786CC1F67661EDF513B8B381327FB32A13D2DB608D40A170

Function 00D01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D01A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A8A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 096e13cb119c49c7a2f2d56afada9fb63130da9762c9a602e74a6d9882d152aa
Instruction ID: 6b061dcd810ea03a11c46235013cec7d16eb44a48767dfbdb25c8ed4a84c0c3d
Opcode Fuzzy Hash: 096e13cb119c49c7a2f2d56afada9fb63130da9762c9a602e74a6d9882d152aa
Instruction Fuzzy Hash: 8711FA3AA01219FFEB119BA5CD85FADBB78EB04754F200091E604B7290D6716E51DBA4

Function 00D0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D0E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D0E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D0E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D0E24D

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0361c4ad605c399c426a0455df0b45232291e7831d20c6132a3cf121f491e8a4
Instruction ID: cfb620cb10dd0b0855ab46921476a02eb59ce51bc2520d0621b3428cc1decf4f
Opcode Fuzzy Hash: 0361c4ad605c399c426a0455df0b45232291e7831d20c6132a3cf121f491e8a4
Instruction Fuzzy Hash: 7C11AD76904358BBC7019BA8AC09B9A7BACAB45324F044769F929E3391E6B0C94487B0

Function 00CCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CCCFF9,00000000,00000004,00000000), ref: 00CCD218
GetLastError.KERNEL32 ref: 00CCD224
__dosmaperr.LIBCMT ref: 00CCD22B
ResumeThread.KERNEL32(00000000), ref: 00CCD249

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 8d1003379ca001ec579ebf3d3dbf06b1654ad2e1d3f5bce846d37f11369c8d48
Instruction ID: 70f1bee55d6ebb65f382c6a4ed949c79743a96c68afed9093278f78a5aebf20f
Opcode Fuzzy Hash: 8d1003379ca001ec579ebf3d3dbf06b1654ad2e1d3f5bce846d37f11369c8d48
Instruction Fuzzy Hash: 7A01D276805204BBCB216BA5DC09FAE7A6DDF81331F20022DF926921D0CB70CD41E7A0

Function 00D39EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

GetClientRect.USER32(?,?), ref: 00D39F31
GetCursorPos.USER32(?), ref: 00D39F3B
ScreenToClient.USER32(?,?), ref: 00D39F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D39F7A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 269445e9ac1f1f9a69b97390e2f9aa8929f7229be12f029eb540ce8285d0950b
Instruction ID: 842ff8c07b2eaf0848c102b162dcf2ff82537b06ed6aef78f2e998af8b93878e
Opcode Fuzzy Hash: 269445e9ac1f1f9a69b97390e2f9aa8929f7229be12f029eb540ce8285d0950b
Instruction Fuzzy Hash: 8411573690021AABDB10EFA8C899DEEB7B8FF05311F004551F911E3250D770BA81CBB1

Function 00CA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
GetStockObject.GDI32(00000011), ref: 00CA6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: db2fc674cf4ab2decdb47301fdf39f11bb32fe5736b91ff9ae8e3a64c6d74b89
Instruction ID: 6fc763c7b98d5a62b3269d98f9b68ede8520827371c0c5d409bc46cf1a7a55fb
Opcode Fuzzy Hash: db2fc674cf4ab2decdb47301fdf39f11bb32fe5736b91ff9ae8e3a64c6d74b89
Instruction Fuzzy Hash: D611617250164ABFEF124FA49C45EEABF69EF09398F050215FA1492110D7329DA0EBA4

Function 00CC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CC3B56

Part of subcall function 00CC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CC3AD2
Part of subcall function 00CC3AA3: ___AdjustPointer.LIBCMT ref: 00CC3AED

_UnwindNestedFrames.LIBCMT ref: 00CC3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CC3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CC3BA4

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 50cfa37b2020b7fe82f3beca904313014b8739cd062866351e8570080e37d389
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E0010C32100189BBDF125E95DC46EEB7F7EEF58754F048018FE5896121C732E961EBA0

Function 00CD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CA13C6,00000000,00000000,?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue), ref: 00CD30A5
GetLastError.KERNEL32(?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue,00D42290,FlsSetValue,00000000,00000364,?,00CD2E46), ref: 00CD30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue,00D42290,FlsSetValue,00000000), ref: 00CD30BF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8539b6737afcaef4e2887e9c3a5b11c39b0c45278b06f7953506ed67160a5d92
Instruction ID: e64f0b9406c5c596ce4357ed7eea4688d6e0a45d846cc5ef5c1cd7406fd38d20
Opcode Fuzzy Hash: 8539b6737afcaef4e2887e9c3a5b11c39b0c45278b06f7953506ed67160a5d92
Instruction Fuzzy Hash: 49012B36311362ABCB314B79AC449577B98AF45B61B140621FB15F3380D721EA01C7F1

Function 00D07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D0747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D07497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D074CA

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3b9fef2a1edb097ad38900ba9353de3d0b36bfc76c7c2c4cbdad6cdfa985f4ac
Instruction ID: 05c20d061389f11af8cfd0f0a11012cd28502c534bc628186ed6d5f7470a99d4
Opcode Fuzzy Hash: 3b9fef2a1edb097ad38900ba9353de3d0b36bfc76c7c2c4cbdad6cdfa985f4ac
Instruction Fuzzy Hash: 2E1180B5A05315AFE7208F54EC09F927FFCEB00B04F108569A65AEA191D7B0F904DB70

Function 00D0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B126

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7617ff0a15e48bbace7e6127c23c287aba3dc757e50347794fad70956f549c46
Instruction ID: bb790c3e7c60658f9020b5543013f488875f311db1a743785d700f4696d5265e
Opcode Fuzzy Hash: 7617ff0a15e48bbace7e6127c23c287aba3dc757e50347794fad70956f549c46
Instruction Fuzzy Hash: 26113C31D05718D7CF009FA4D9587EEBB78FF1A721F104086D945B2281CB7095509B72

Function 00D37E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D37E33
ScreenToClient.USER32(?,?), ref: 00D37E4B
ScreenToClient.USER32(?,?), ref: 00D37E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D37E8A

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2dd7b1d4ed96d6bf489647303292a94ecd5b3b907cd8e40887aa5e420260e1e4
Instruction ID: 7981f2fba38670bf76f2717fb3a5f99905de72dad33337a22414c34807630f78
Opcode Fuzzy Hash: 2dd7b1d4ed96d6bf489647303292a94ecd5b3b907cd8e40887aa5e420260e1e4
Instruction Fuzzy Hash: 1F1143B9D0020AAFDB51CF98C8849EEBBF5FB08310F505056E915E2210D735AA55CF60

Function 00D02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D02DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D02DD6
GetCurrentThreadId.KERNEL32 ref: 00D02DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D02DE4

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6d833fb474ba774ac9e27776e06e838e0ca1a882e620d7a819e1da7d95deaac0
Instruction ID: 627a46026a9c8e80171f92ba161ec65b0e73296ffd2a0de8f05596f87dbf832e
Opcode Fuzzy Hash: 6d833fb474ba774ac9e27776e06e838e0ca1a882e620d7a819e1da7d95deaac0
Instruction Fuzzy Hash: 9CE092716123247BDB201B729C0EFFB3E6CEF42BA1F041015F109E11909AA4C840C7F0

Function 00D38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96A2
Part of subcall function 00CB9639: BeginPath.GDI32(?), ref: 00CB96B9
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D38887
LineTo.GDI32(?,?,?), ref: 00D38894
EndPath.GDI32(?), ref: 00D388A4
StrokePath.GDI32(?), ref: 00D388B2

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cdbd167efcdfef795879ff015df212bfc92b56f8dbf1eac3cf00909374924c55
Instruction ID: 4229e7b4008b76d762b654967f62d21e5ee42b8a24c6416ec23341f02751d7b2
Opcode Fuzzy Hash: cdbd167efcdfef795879ff015df212bfc92b56f8dbf1eac3cf00909374924c55
Instruction Fuzzy Hash: A4F03A36055758BADB125F98AC09FCA3B69AF06310F088100FB12B52E2C7B55551DFF5

Function 00CB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CB98CC
SetTextColor.GDI32(?,?), ref: 00CB98D6
SetBkMode.GDI32(?,00000001), ref: 00CB98E9
GetStockObject.GDI32(00000005), ref: 00CB98F1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 99115a795775c9fc74cfa0b62cf9a11f312b87d53dee56a339c08dfc1fb770a0
Instruction ID: 51f3b0ed170682a5fe63536b5c9666f338cb21fd7fac9fe836569c064d4e7372
Opcode Fuzzy Hash: 99115a795775c9fc74cfa0b62cf9a11f312b87d53dee56a339c08dfc1fb770a0
Instruction Fuzzy Hash: A6E06531254744AADB215B74EC09BE83F10EB11375F049319F7F9A41E1C3724640DB21

Function 00D0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D01634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D011D9), ref: 00D0163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D011D9), ref: 00D01648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D011D9), ref: 00D0164F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0b7e5ab564a8984e0351e3a482787ed0442bd6bacfc226fb8971a64c416e7bb9
Instruction ID: 7b8fc1c1c8602545a25564c9920689b00ca609e522f88515d01a987679d71fa4
Opcode Fuzzy Hash: 0b7e5ab564a8984e0351e3a482787ed0442bd6bacfc226fb8971a64c416e7bb9
Instruction Fuzzy Hash: B8E08C36612311EBD7301FA0AE0DB873B7CAF44792F188808F249E9080E7348444CB74

Function 00CFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CFD858
GetDC.USER32(00000000), ref: 00CFD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CFD882
ReleaseDC.USER32(?), ref: 00CFD8A3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ad12e34c14c58922ae02c7b970ea77c06a5b2da40cb010ff55343ace5f4b10a
Instruction ID: 277a280f43b3b21ebd874f32cbeb362800718645effb782d4908eeeadf373eea
Opcode Fuzzy Hash: 0ad12e34c14c58922ae02c7b970ea77c06a5b2da40cb010ff55343ace5f4b10a
Instruction Fuzzy Hash: DCE01AB1810305DFCB41AFA1D84D66DBBB2FB08310F109009F846F7360D7388901AF60

Function 00CFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CFD86C
GetDC.USER32(00000000), ref: 00CFD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CFD882
ReleaseDC.USER32(?), ref: 00CFD8A3

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ae09b8265559444941ff7070d662719112ada7c6980c8599a70e348aeedcf05
Instruction ID: 0d34a8d7be79c6598d4450e52170f660835ba03f1741a622ab10595385112e69
Opcode Fuzzy Hash: 3ae09b8265559444941ff7070d662719112ada7c6980c8599a70e348aeedcf05
Instruction Fuzzy Hash: 45E012B1810304EFCB40AFA0D84D66DBBB1BB08310F10A008F84AF7360DB389901AF60

Function 00D14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D14ED4

Strings

*, xrefs: 00D14E10
LPT, xrefs: 00D14DFB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 764f95169613a5a21c29c37e488f9393de4de0462b441789dd43a93fe362c639
Instruction ID: d23c2c9ecd1ef3002fc0483317c62d0cf95c1b77b26bf644f0360bd7d42d0d17
Opcode Fuzzy Hash: 764f95169613a5a21c29c37e488f9393de4de0462b441789dd43a93fe362c639
Instruction Fuzzy Hash: 63915175A00205AFCB14DF58D484EEABBF1BF45308F198099E4459F352DB35ED86CB60

Function 00CCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CCE30D

Strings

pow, xrefs: 00CCE2E5, 00CCE302

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 043009a4813db92cc64d7793e719c56cb527b1ae7c1005633e97801a9ecf295d
Instruction ID: 924bdefaf34d657871346e78faa073d176ff832918a35d0f89ffc17dd8b69e08
Opcode Fuzzy Hash: 043009a4813db92cc64d7793e719c56cb527b1ae7c1005633e97801a9ecf295d
Instruction Fuzzy Hash: 7A515C61A0C3029ACB157B14C901B7A3BA4AF42740F744E9EF5E5823F9FB348D95AA46

Function 00CBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CBE1B1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 54330777d9d696ae9c3f6555ee07e1950a6e992eabbcec26d1619e56307b1086
Instruction ID: 612820167b9c31bc5b9d03414d6ebdae3445f6078f47cba7bec5eeb86c202f07
Opcode Fuzzy Hash: 54330777d9d696ae9c3f6555ee07e1950a6e992eabbcec26d1619e56307b1086
Instruction Fuzzy Hash: 5751593550434ADFDB15EF68C081AFA7BA4EF16710F244066FD619B2E0D7349E42DBA2

Function 00CBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CBF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CBF2BB

Strings

@, xrefs: 00CBF2AF

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f909c854986455cf5ca09f9424480250b631ad3daf1bf8ed665fed04b3698a00
Instruction ID: e2d1cbc1bb6b6581b1653929f96de6dd6480934e84ede9c5e8a52f61f4898f5b
Opcode Fuzzy Hash: f909c854986455cf5ca09f9424480250b631ad3daf1bf8ed665fed04b3698a00
Instruction Fuzzy Hash: 445134724087499FD320AF54DC86BABBBF8FB85304F81885DF199811A5EB708529CB66

Function 00D25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D257E0
_wcslen.LIBCMT ref: 00D257EC

Strings

CALLARGARRAY, xrefs: 00D257E6, 00D257EB

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0336f7dda8900d719d1bc1d6299af1111f6e9b01da5ba356fcd7c0ce948962d7
Instruction ID: e4de321e68d12cc4717815a2207614e6bdb2a89b2519fa7b17fc277d8c643822
Opcode Fuzzy Hash: 0336f7dda8900d719d1bc1d6299af1111f6e9b01da5ba356fcd7c0ce948962d7
Instruction Fuzzy Hash: D141A131A001199FCB04DFA8E881DAEFBB5FF69318F144029E505A7295D770DD81DBA0

Function 00D1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D1D13A

Strings

|, xrefs: 00D1D10B

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 504759a92b997002b2bba2326a54b84e5cf81fa3b09e715d70ef025b5d404d9e
Instruction ID: 6218b5b6783c23dcccf9751c709389e479265025691869224ce40ec7effab1d2
Opcode Fuzzy Hash: 504759a92b997002b2bba2326a54b84e5cf81fa3b09e715d70ef025b5d404d9e
Instruction Fuzzy Hash: 21311971D00219BBCF15EFE4DC85AEEBFBAFF05304F040019E815A6166DB35AA46DB60

Function 00D3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D33621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D3365C

Strings

static, xrefs: 00D335BC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a4f9549b100acab8c59b45f3503b8357fa3828aafd967357b00db012ee648919
Instruction ID: 1cef76c26efa56ae50b742cc477caf4f4f7b7448adb5408c99d54fc0f0708fbf
Opcode Fuzzy Hash: a4f9549b100acab8c59b45f3503b8357fa3828aafd967357b00db012ee648919
Instruction Fuzzy Hash: A9319A72110204AEDB209F68DC81EFB73A9FF88764F149619F8A5D7290DA30ED91DB70

Function 00D34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D3461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D34634

Strings

', xrefs: 00D3458E

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 21be11103693d6397f0957937303ca494949176b6705a4c6ab20af3f277c685f
Instruction ID: 7ba6ffa81d72a3ddfec19cbbac4027bbb4b3dc8f20bbb2f72f495fd593a3d120
Opcode Fuzzy Hash: 21be11103693d6397f0957937303ca494949176b6705a4c6ab20af3f277c685f
Instruction Fuzzy Hash: 8D312575A0130A9FDB14CFA9C981BDABBB5FF09300F14406AE904AB391E774E941CFA0

Function 00D331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D3327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D33287

Strings

Combobox, xrefs: 00D33249

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 54241be1e0c340c22dd320259f3a1c341b625db206acfbe20eb58f1030204191
Instruction ID: cdb64d383a8ac77db60958c81e7c06029cd3f6171ed9fe2f6629da51181c8d07
Opcode Fuzzy Hash: 54241be1e0c340c22dd320259f3a1c341b625db206acfbe20eb58f1030204191
Instruction Fuzzy Hash: E711E2753002087FEF219F54DD81EBB376AEB943A4F140228F918DB290D6319D618770

Function 00D33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
Part of subcall function 00CA600E: GetStockObject.GDI32(00000011), ref: 00CA6060
Part of subcall function 00CA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

GetWindowRect.USER32(00000000,?), ref: 00D3377A
GetSysColor.USER32(00000012), ref: 00D33794

Strings

static, xrefs: 00D33757

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6afa73490b0f6e7fe2759abc18eab60b28c3b853b7185c8be4e0e13ff0fe7a18
Instruction ID: 3f1c512968133706c21444c71cec612f36b6c7b465f68b1b42b7baf413a7b68b
Opcode Fuzzy Hash: 6afa73490b0f6e7fe2759abc18eab60b28c3b853b7185c8be4e0e13ff0fe7a18
Instruction Fuzzy Hash: 901137B261020AAFDF00DFA8CD46EFA7BB8FB08354F045914F955E2250E775E861DB60

Function 00D1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D1CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D1CDA6

Strings

<local>, xrefs: 00D1CD66

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33f24b611ed72f4d3606d8ff525e1411b4655ccef08b984f823c3d73b0e84a57
Instruction ID: c47936c6f93446e113ff99edb601ac8b2b38f5ce52851bb97e4c250328d0c387
Opcode Fuzzy Hash: 33f24b611ed72f4d3606d8ff525e1411b4655ccef08b984f823c3d73b0e84a57
Instruction Fuzzy Hash: 8E11C6B12A56317AD7344B66BC45EE7BE6CEF127A4F005226B549D3180DB709881D6F0

Function 00D33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D334BA

Strings

edit, xrefs: 00D3348F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1cdbfd97c3531672ac8069af41916cd61ef7328c90d894561dce38ef8250e6d5
Instruction ID: cee2b31fcd50e6f8810a1cf585c67848a28b6c39bc8361c39bae8a9024befc69
Opcode Fuzzy Hash: 1cdbfd97c3531672ac8069af41916cd61ef7328c90d894561dce38ef8250e6d5
Instruction Fuzzy Hash: BE118C71100208AFEB228F64DD44AAB376AEB05378F544324F965E32E0C771DCA19B70

Function 00D06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D06CB6
_wcslen.LIBCMT ref: 00D06CC2

Strings

STOP, xrefs: 00D06CBC, 00D06CC1

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5e4fea22beee320828b8eabbd96d6e5ef87981c4887782da30fc4904b91c1f93
Instruction ID: 5046c9626966f31829b48e0c3008aef2515cf9be671c859b9e71d7fc23eb1460
Opcode Fuzzy Hash: 5e4fea22beee320828b8eabbd96d6e5ef87981c4887782da30fc4904b91c1f93
Instruction Fuzzy Hash: 8A012232A005278BDB20AFBDDC81BBF3BB4EF61714B040528E866972D0EB31D860C670

Function 00D01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D01D4C

Strings

ComboBox, xrefs: 00D01CEB
ListBox, xrefs: 00D01D16

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 371680637424d49a417f6e5a2002839e035abdbbfe73ef2164a4b56b598835da
Instruction ID: 7fc9003d59de370618befe3fde8f8f272cd8a048a6546a9b3e799837d2f91266
Opcode Fuzzy Hash: 371680637424d49a417f6e5a2002839e035abdbbfe73ef2164a4b56b598835da
Instruction Fuzzy Hash: 1B01D875601225ABCB04EBA4CC56EFE7368EB47354F040619F876673D1EA3099089770

Function 00D01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D01C46

Strings

ComboBox, xrefs: 00D01BE5
ListBox, xrefs: 00D01C10

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 96596ba90a4bc458efef466b2ad96747d9fefe30768bffc1b4117a8ebeb9653a
Instruction ID: 07a5920c1f55ad450828bba99e33109c51c9c1de6d8d8a9ee527238ef51c7acb
Opcode Fuzzy Hash: 96596ba90a4bc458efef466b2ad96747d9fefe30768bffc1b4117a8ebeb9653a
Instruction Fuzzy Hash: C101A7757811056BDB08EB90C956BFFB7A8DB12344F140019F41A772C1EA24DE4C96B5

Function 00D01C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D01CC8

Strings

ComboBox, xrefs: 00D01C69
ListBox, xrefs: 00D01C94

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6abfb6ef605aaa475ac3cf5f8fd1c7207e9525fdf8365a52adfde87fb0ced938
Instruction ID: a586625bec0257a22d38af50f10fbaeb1de5f9ed347b01ee4788ae76e42d6643
Opcode Fuzzy Hash: 6abfb6ef605aaa475ac3cf5f8fd1c7207e9525fdf8365a52adfde87fb0ced938
Instruction Fuzzy Hash: 2C01D675B801196BEB04EBA5CA16BFEB3ACDB12384F140015B80AB32C1EA70DF08D675

Function 00D01D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00D01DD3

Strings

ComboBox, xrefs: 00D01D75
ListBox, xrefs: 00D01DA0

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5aefca2736e2ac5ba81097150e57ee371608e5e0b2c83ac3554e0de146335c48
Instruction ID: 33491e622ab4fdb80838f1f45d4be9df473f75f60a59f2f12db7a867116c5fb3
Opcode Fuzzy Hash: 5aefca2736e2ac5ba81097150e57ee371608e5e0b2c83ac3554e0de146335c48
Instruction Fuzzy Hash: 80F0A475B516156BDB04E7A4CC56BFE776CEB02358F040915F866A72C1DA70990C9270

Function 00D2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D27493
_wcslen.LIBCMT ref: 00D274B9

Strings

3, 3, 16, 1, xrefs: 00D27483

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9919a41b3de19afba31e62a804d2710c24c17259c8915673f3ca82edc1bbf1d8
Instruction ID: 1a047bf6fb8894682a43e2d390f5201abb051282355e0c97b9187f84e8f15203
Opcode Fuzzy Hash: 9919a41b3de19afba31e62a804d2710c24c17259c8915673f3ca82edc1bbf1d8
Instruction Fuzzy Hash: F5E02B026042301092353279FCC1EBF568DCFD6754714182FF981C2266EAA4CD93A3B0

Function 00D00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D00B23

Strings

Error allocating memory., xrefs: 00D00B1C
AutoIt, xrefs: 00D00B17

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8faf3af0724f9aa2292d50a54a1ba7a0ad8260f4a8bbe877da311bbc5e02fa52
Instruction ID: 5cebbeda0eefabdb72e7b50456d4ea0c2d1b5d535933b810f8b6b6b2dbdb3992
Opcode Fuzzy Hash: 8faf3af0724f9aa2292d50a54a1ba7a0ad8260f4a8bbe877da311bbc5e02fa52
Instruction Fuzzy Hash: 53E0DF322943183AD2143794BC03FC97A848F05B61F10042EFB98A56C38AE264902BB9

Function 00CC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CC0D71,?,?,?,00CA100A), ref: 00CBF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CA100A), ref: 00CC0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CA100A), ref: 00CC0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CC0D7F

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fd52611ed9ffd2189174ac1855d200638a2efc8b035c7b9021c1e9738d2a91cd
Instruction ID: 6469c54dd53a937c9d3a5914ee781518d5cf5d5ffaa3fe8551d0e49d3cf2cec4
Opcode Fuzzy Hash: fd52611ed9ffd2189174ac1855d200638a2efc8b035c7b9021c1e9738d2a91cd
Instruction Fuzzy Hash: 00E06D742007118BD3209FB8D8087427BE0AB00744F104A6DE886D6751DBB4E4848BA1

Function 00D13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D1302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D13044

Strings

aut, xrefs: 00D13038

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cdea82cefd5bbaeecf39b68d0c2851d9d6ae26db6997c9ac8ab201129811d637
Instruction ID: e637c6d61a73a2ba9effc98ebd82e63ab9f1a8bf225b0146c120a43be6eda844
Opcode Fuzzy Hash: cdea82cefd5bbaeecf39b68d0c2851d9d6ae26db6997c9ac8ab201129811d637
Instruction Fuzzy Hash: 9BD05E765003286BDA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2191DAB0D984CBE4

Function 00CFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CFD220

Strings

%.3d, xrefs: 00CFD22B
X64, xrefs: 00CFD2A8

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 47566c175de3756d3829ac0cce003d28584e62ea2f8d81dbab2da113b2cfa1d0
Instruction ID: b5832b0183d19afbb4bbcf4772c6bc3bc00edb8d8e6f7df8de5274ede666ada4
Opcode Fuzzy Hash: 47566c175de3756d3829ac0cce003d28584e62ea2f8d81dbab2da113b2cfa1d0
Instruction Fuzzy Hash: 80D012A180810CEACBD097D2DC458FAB37DAB18301F508452FA07E1140E624C90867A3

Function 00D32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D3236C
PostMessageW.USER32(00000000), ref: 00D32373

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Strings

Shell_TrayWnd, xrefs: 00D32365

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 241ecfeaa05f4459464c99130ab8b21035d530955767bf2728783b8e836e1dab
Instruction ID: 400ecca2a56c477a1bdb346ccf986838beb86c932390a8d06c149f2e48b50d13
Opcode Fuzzy Hash: 241ecfeaa05f4459464c99130ab8b21035d530955767bf2728783b8e836e1dab
Instruction Fuzzy Hash: F4D0C9323913107BE664A770AC0FFC676149B05B10F1059167645FA2E0C9A0A8058B74

Function 00D32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D3232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D3233F

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Strings

Shell_TrayWnd, xrefs: 00D32325

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d29500d8ea16ba8e2d356e9c0075426f7bc146cdb89c7c59d6f70bd8dcd9eae4
Instruction ID: c738f89cd80bfd3dc83ef20b62d93f8361cac4145089b47b2c57e12c84f36fd6
Opcode Fuzzy Hash: d29500d8ea16ba8e2d356e9c0075426f7bc146cdb89c7c59d6f70bd8dcd9eae4
Instruction Fuzzy Hash: 41D012363A4310BBE664B770EC0FFC67A149B00B10F1059167749FA2E0C9F0A805CB74

Function 00CDBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CDBE93
GetLastError.KERNEL32 ref: 00CDBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CDBEFC

Memory Dump Source

Source File: 00000000.00000002.2552118292.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.2552099095.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552190157.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552259255.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2552279842.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3d5b9a02d78cb0b0d1397a393c120dd168a3abd433f95353094fa9dffeb7c23f
Instruction ID: 1f89d2de916a46d38d4810aa65b634c1e48f9b8bd1c2cfad081ef6b18197f507
Opcode Fuzzy Hash: 3d5b9a02d78cb0b0d1397a393c120dd168a3abd433f95353094fa9dffeb7c23f
Instruction Fuzzy Hash: 6E41B539604346EFCF21CFA5CD54BBA7BA5AF41310F16416AFA69973A1DB308E01DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1648343792&timestamp=1727434457341 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9TXGzWLSX1eOMza&MD=anumbD6B HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIk6HLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=517=dDxkoKA2z_kuMQuaPNPp8fMTqTBRVl1aMs0bApuSQQkC3kf6gyF4x0ZlMD9h89Sluq_wGknppAOnCpMWBzL3CxCzijvB84CU9tjwORyW44J08zplIGGVneO4jl6Oar4x2-16R-ceqf12gXIZcQhrJNHCU6yDgTkPxb-Z4eeCgABPPxvSGGQ

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\4179d7b4-4d08-4c57-9590-19ecc0dcbfd4 (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\5fb4c68c-2b24-46c3-9d7f-59c5c6a4127b.tmp

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 109

Windows Analysis Report
file.exe

Function 00CA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00CA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00CE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00D0DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 00CA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00CE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00CA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00CA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre