Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520639
MD5:	0cdc96575612c0492c5137e300d18cee
SHA1:	e02a5ed08f2b187d8709acf6fe680750e32ea1f0
SHA256:	6b46a024fb39fefa5bce5a16113c610bb0b5f9f2f77034b638cb50daea5682d6
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0CDC96575612C0492C5137E300D18CEE)

chrome.exe (PID: 6780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5736 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_95.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_95.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_101.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_95.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_95.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_101.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_101.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_95.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_95.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_95.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_95.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_95.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_101.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_95.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_95.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_95.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_101.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_95.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_95.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_101.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_95.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_95.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.3308272068.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3307849084.0000000003678000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3308299384.0000000003C33000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3307360030.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3308299384.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000002.3307360030.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd.C
Source: file.exe, 00000000.00000002.3308299384.0000000003C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd/
Source: file.exe, 00000000.00000002.3308299384.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd3
Source: file.exe, 00000000.00000002.3307360030.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdion;uC%
Source: chromecache_95.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.5:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_005AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0059AA57

Source: file.exe, 00000000.00000002.3308088234.00000000037B3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA

memstr_4dcf7495-e

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2047845708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_57b441af-0
Source: file.exe, 00000000.00000000.2047845708.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_87b2bbc6-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_08b13707-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_359d4850-a

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0059D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00591201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00591201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0059E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BF40	0_2_0053BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A2046	0_2_005A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00538060	0_2_00538060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00598298	0_2_00598298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056E4FF	0_2_0056E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056676B	0_2_0056676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C4873	0_2_005C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CAF0	0_2_0053CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055CAA0	0_2_0055CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054CC39	0_2_0054CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00566DD9	0_2_00566DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054B119	0_2_0054B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005391C0	0_2_005391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00551394	0_2_00551394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00551706	0_2_00551706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055781B	0_2_0055781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054997D	0_2_0054997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537920	0_2_00537920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005519B0	0_2_005519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00557A4A	0_2_00557A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00551C77	0_2_00551C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00557CA7	0_2_00557CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BBE44	0_2_005BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569EEE	0_2_00569EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00551F32	0_2_00551F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00550A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0054F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00539CB3 appears 31 times

Source: file.exe, 00000000.00000002.3307849084.0000000003678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Comments\|CompanyName\|FileDescription\|FileVersion\|InternalName\|LegalCopyright\|LegalTrademarks\|OriginalFilename\|ProductName\|ProductVersion\|PrivateBuild\|SpecialBuild vs file.exe
Source: file.exe, 00000000.00000002.3306743355.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEM vs file.exe
Source: file.exe, 00000000.00000002.3306743355.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameC vs file.exe
Source: file.exe, 00000000.00000002.3306629920.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEf vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@31/36@14/10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A37B5 GetLastError,FormatMessageW,

0_2_005A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005910BF AdjustTokenPrivileges,CloseHandle,		0_2_005910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005BA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005342A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5736 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5736 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: file.exe

Static file information: File size 1167360 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00550A76 push ecx; ret

0_2_00550A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0054F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97024

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6632

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\file.exe TID: 6008	Thread sleep count: 6632 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6008	Thread sleep time: -66320s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6632 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0059DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056C2A2 FindFirstFileExW,	0_2_0056C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A68EE FindFirstFileW,FindClose,	0_2_005A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: file.exe, 00000000.00000002.3308190540.0000000003847000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r0
Source: file.exe, 00000000.00000002.3308190540.0000000003847000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z1%

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96244

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005AEAA2 BlockInput,

0_2_005AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00562622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00562622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00554CE8 mov eax, dword ptr fs:[00000030h]

0_2_00554CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00590B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00590B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00562622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00562622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0055083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005509D5 SetUnhandledExceptionFilter,	0_2_005509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00550C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00550C21

Source: C:\Users\user\Desktop\file.exe

0_2_00591201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00572BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00572BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059B226 SendInput,keybd_event,

0_2_0059B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005B22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00590B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00591663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00591663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00550698 cpuid

0_2_00550698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_005A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058D27A GetUserNameW,

0_2_0058D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0056B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe, 00000000.00000002.3306743355.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_005B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	31 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.186.78	true	false	unknown
www3.l.google.com	142.250.184.238	true	false	unknown
play.google.com	216.58.212.142	true	false	unknown
www.google.com	142.250.184.228	true	false	unknown
youtube.com	142.250.185.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_95.4.dr	false		unknown
https://families.google.com/intl/	chromecache_95.4.dr	false		unknown
https://youtube.com/t/terms?gl=	chromecache_95.4.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_95.4.dr	false		unknown
https://www.google.com/intl/	chromecache_95.4.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_101.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_95.4.dr	false		unknown
https://play.google.com/work/enroll?identifier=	chromecache_95.4.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_95.4.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_95.4.dr	false		unknown
https://policies.google.com/privacy/additional	chromecache_95.4.dr	false		unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_95.4.dr	false		unknown
https://policies.google.com/technologies/cookies	chromecache_95.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_95.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_101.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_95.4.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_95.4.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_95.4.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_95.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_95.4.dr	false		unknown
https://policies.google.com/privacy	chromecache_95.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_95.4.dr	false		unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_95.4.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.212.142	play.google.com	United States	15169	GOOGLEUS	false
216.58.206.68	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false
142.250.184.238	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520639
Start date and time:	2024-09-27 17:40:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@31/36@14/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 44 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.185.174, 64.233.166.84, 34.104.35.123, 216.58.206.42, 142.250.185.138, 142.250.185.74, 142.250.185.106, 142.250.184.234, 142.250.185.170, 142.250.186.138, 142.250.186.74, 142.250.181.234, 142.250.186.170, 172.217.18.106, 142.250.184.202, 142.250.185.234, 216.58.212.138, 142.250.185.202, 172.217.16.202, 142.250.186.35, 142.250.186.106, 142.250.74.202, 172.217.18.10, 172.217.23.106, 142.250.186.42, 199.232.210.172, 192.229.221.95, 142.250.185.163, 142.250.74.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://effective-teammates-567500.framer.app/	Get hash	malicious	HTMLPhisher	Browse
	ATT71817.docx	Get hash	malicious	HTMLPhisher	Browse
	https://main.d3engbxc9elyir.amplifyapp.com/	Get hash	malicious	Unknown	Browse
	Electronic Receipt for Carolann Campbell.pdf	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fcasaderestauraciononline.com%2Fholy%2Findexsyn1.html%23cmltYS5hbWV1ckBjYXRhbGluYW1hcmtldGluZy5mcg==	Get hash	malicious	HTMLPhisher	Browse
	https://changeofscene.ladesk.com/605425-Secure-Business-Documen	Get hash	malicious	HTMLPhisher	Browse
	http://polskie-torrenty.eu/redir.php?url=https://globalfinanceweb.com%2FProfile%2Fluig%2Fnzx0k%2FmProtect.html%23abrumley@highlandfunds.com	Get hash	malicious	Unknown	Browse
	https://careeligibility.vercel.app/chubedan	Get hash	malicious	HTMLPhisher	Browse
	https://clicktracking.yellowbook.com/trackingenginewebapp/tracking.html?MB_ID=256862&SE_ID=9&AG_ID=2952701&AD_ID=6851395&kw=restaurants%20near%20me&kw_type=p&C_ID=874339&SE_AD_ID=73873744870314&se_clk_id=0651300f23401ca1b2e355991fb49377&hibu_site=0&redirect_url=https://femalewhowork.sa.com/rUswT/	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://effective-teammates-567500.framer.app/	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://main.d3engbxc9elyir.amplifyapp.com/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	Electronic Receipt for Carolann Campbell.pdf	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fcasaderestauraciononline.com%2Fholy%2Findexsyn1.html%23cmltYS5hbWV1ckBjYXRhbGluYW1hcmtldGluZy5mcg==	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://changeofscene.ladesk.com/605425-Secure-Business-Documen	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://careeligibility.vercel.app/chubedan	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://sci-hub.tw/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 14:41:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.978590813077424
Encrypted:	false
SSDEEP:	48:8WdzsTUQtHMidAKZdA19ehwiZUklqehky+3:88svAjy
MD5:	BF2A6A7B782ED360CEB2866F6CDC3F3F
SHA1:	1B52A1451692B503B829369D8C16D5BAB9C3D59B
SHA-256:	5F002A09D1E8B41FE94E407FD52D367F11E17903ADABE9B1DB78124D984495F1
SHA-512:	FAA7311E4789D491B57E0C97A006C7198D658B7C208398B6118E7D02110EEC4FB2C5668353CF4CF7914B601C3DD5F239BF611BD96237F2126A6988276F57642E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....B.a.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y#}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 14:41:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9963519912166405
Encrypted:	false
SSDEEP:	48:8ndzsTUQtHMidAKZdA1weh/iZUkAQkqehTy+2:8lsv69Q6y
MD5:	99AEAFDED1B640D15A176D141C63450D
SHA1:	767A6500DF67B365EAC68B165925B92C4485DA83
SHA-256:	7FB940D2DC03798C3B7A723CE6F8E8C9D3609408CCAC998DCF5EF657228059A3
SHA-512:	BD4F713BD2480E0D98DF923AD0B8B6EE8DCBE467D760255131A308E286CD18A8D6ABCD09716D2FABF4C1394BF6B3AB3674DE6D3A2FE022B9D2569D5EEE8A43F6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......V.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y#}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.007418998646242
Encrypted:	false
SSDEEP:	48:8xBdzsTUQsHMidAKZdA14tseh7sFiZUkmgqeh7sZy+BX:8xHsv1nvy
MD5:	59035B3394509BBB85C325EEFA18928E
SHA1:	99B64EAC5AA4A4E1ABB85EB68DB262A1F464C4C2
SHA-256:	C0D0386F09FB024ADF66D1CA18D42BB456CB3595CD35988167F7624EDC1D8909
SHA-512:	6820557B1895D18325738DE3526B86832EC90BD5C32658F3E78C3358524974CDF6A692BAD0812DDB90C0E81B68CDE321C01A32003DF9655E92054B4C2E38FC03
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 14:41:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.996056918615686
Encrypted:	false
SSDEEP:	48:82dzsTUQtHMidAKZdA1vehDiZUkwqehXy+R:8csvhhy
MD5:	DCF3EEA83211EBC8939E89082B0C34CD
SHA1:	DAE18987AA8C80CCA7BDB7C2096F07671936BF19
SHA-256:	51BD8D9972DA521561D48F729134FB551B21976190E8A152AC78A9125236EA55
SHA-512:	07E708816F70FFD88EF97E5B06854DDDB0B3FB7EE9299E7B8D180B48C332756FE1156FD7ABBBDE8415060BB397797E3769D357ACB6A74F893F4CEA5B3AB36DC2
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......N.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y#}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 14:41:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.985935964334401
Encrypted:	false
SSDEEP:	48:8GdzsTUQtHMidAKZdA1hehBiZUk1W1qehVy+C:8ssvh91y
MD5:	D609A973F389D5554C9F62C9C2EB1B1A
SHA1:	A02D4AD14770054FD3269B04D0C192B70BCF911C
SHA-256:	F22957E157A7E0F5DAA956B03E667244ACF9E0DAECEA3F9E1F17B9BB2CB1768C
SHA-512:	E27330D5B5FCBDC0BA8F56B2B2FE20154E7127CF03884B0F31B3C988DFDBA1C609389702C95485C9FB79E33BA9B303648B07B35A5E77F4FE557785FB40EDC345
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....)].....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y#}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 14:41:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9941381417076847
Encrypted:	false
SSDEEP:	48:86dzsTUQtHMidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbvy+yT+:8gsvdT/TbxWOvTbvy7T
MD5:	790617C2DA45C49B1DE8767EBE44A942
SHA1:	105DA47D26EBBECA8949B8AB2567D5BFE9F9F36B
SHA-256:	F85F7472B5D897730FADE521E845739E8C2FE1A229CD30AABC9C84B7F9DE1906
SHA-512:	AB7A00111E850DCE2BC57587BD11C0B566E191105A7F646174CB5B0D6C281CD65DC481E99A5559838916E44F8F46E7EC0E91D6D511F90A0057A69C23A3ABC287
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......B.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I;Y"}....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y"}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y"}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y"}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y#}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............C......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789949489744101
Encrypted:	false
SSDEEP:	3072:x0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:xlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	036BC6CEC1912EAA63C716C2A7494AFC
SHA1:	C32891F55B0D7A86DCE1BDBB7B84DB21C2A09F4F
SHA-256:	1A6181C3DFAEE5919CE57152DCFFCDC4B151C5FB2969CFD62168C1711FF202CF
SHA-512:	0AAA2285D109114921B5FD8A15F9A3D1F218AF8C61054B3925965E6753F8A49B45798326EA986C4A6B6180B6C36292A4652E2BA730C7505684DAAA4B5C314675
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGsNipZrCRRMFQh1-tVmHSsIDzQTA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.036733434834559
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'167'360 bytes
MD5:	0cdc96575612c0492c5137e300d18cee
SHA1:	e02a5ed08f2b187d8709acf6fe680750e32ea1f0
SHA256:	6b46a024fb39fefa5bce5a16113c610bb0b5f9f2f77034b638cb50daea5682d6
SHA512:	2c514a465d7554b0ac07fdba52d59e96baa93dff20e3208421756f2e95bc1b16fac2204b1cd6cb696f10f92782812f17a79c394afbd7ac07ad73bd9d6f0845e0
SSDEEP:	24576:XqDEvCTbMWu7rQYlBQcBiT6rprG8ar32+b+HdiJUK:XTvC/MTQYxsWR7ar32+b+HoJU
TLSH:	9245CF027391C062FF9B92734F5AF6115BBC69260123E61F13981DBABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F6CE5D [Fri Sep 27 15:25:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9F58BFE813h
jmp 00007F9F58BFE11Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9F58BFE2FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9F58BFE2CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9F58C00EBDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9F58C00F08h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9F58C00EF1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x46464	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x46464	0x46600	56087394f0de928afb4db961a3a60167	False	0.9059655306394316	data	7.844916540599419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3d72c	data			1.0003416874592757
RT_GROUP_ICON	0x119ee4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x119f5c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x119f70	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x119f84	0x14	data	English	Great Britain	1.25
RT_VERSION	0x119f98	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11a074	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 17:41:00.062271118 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:00.202920914 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:00.312421083 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:04.854748964 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:04.854772091 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:04.854821920 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:04.855861902 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:04.855879068 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.503460884 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.506298065 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.506324053 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.506968021 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.507025957 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.508235931 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.508280993 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.509757042 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.509835005 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.509963989 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.509970903 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.554400921 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.801610947 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.801661015 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.801687956 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.801700115 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.801742077 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.804791927 CEST	49707	443	192.168.2.5	142.250.185.142
Sep 27, 2024 17:41:05.804812908 CEST	443	49707	142.250.185.142	192.168.2.5
Sep 27, 2024 17:41:05.817781925 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:05.817821980 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:05.817909002 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:05.818363905 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:05.818376064 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.468204021 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.468595982 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.468611002 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.469007015 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.469151974 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.469727993 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.469785929 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.470808029 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.470870018 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.471044064 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.471055031 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.523139954 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.787761927 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.787780046 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.787856102 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:06.787861109 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.787915945 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.797856092 CEST	49710	443	192.168.2.5	142.250.186.78
Sep 27, 2024 17:41:06.797879934 CEST	443	49710	142.250.186.78	192.168.2.5
Sep 27, 2024 17:41:08.954499960 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:08.954540968 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:08.954646111 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:08.954974890 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:08.954988003 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.593636990 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.593933105 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:09.593947887 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.595366955 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.595436096 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:09.596450090 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:09.596529007 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.628236055 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:09.628305912 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:09.628381014 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:09.630011082 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:09.630038023 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:09.648027897 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:09.648039103 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:09.663522005 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:09.694791079 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:09.804156065 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:09.913526058 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:10.283642054 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.283725977 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.292212009 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.292248011 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.292587996 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.337517023 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.422714949 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.467408895 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.608943939 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.609107018 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.609155893 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.609327078 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.609349966 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.609363079 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.609370947 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.641851902 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.641913891 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:10.642000914 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.642772913 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:10.642791033 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.296237946 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.296395063 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.297588110 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.297595978 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.297936916 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.301671982 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.347404957 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.470093012 CEST	443	49703	23.1.237.91	192.168.2.5
Sep 27, 2024 17:41:11.470226049 CEST	49703	443	192.168.2.5	23.1.237.91
Sep 27, 2024 17:41:11.573555946 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.573718071 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.574456930 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.574527025 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.574552059 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:11.574583054 CEST	49721	443	192.168.2.5	184.28.90.27
Sep 27, 2024 17:41:11.574588060 CEST	443	49721	184.28.90.27	192.168.2.5
Sep 27, 2024 17:41:13.617917061 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:13.617958069 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:13.618109941 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:13.618402958 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:13.618416071 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.256633997 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.256908894 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.256942987 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.257333994 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.257400990 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.257991076 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.258048058 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.259500027 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.259572983 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.259685993 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.304574013 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.304600000 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.351469994 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.573678017 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.573751926 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.573793888 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.573810101 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.573853016 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.573875904 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.579581022 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.579637051 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.579648018 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.585984945 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.586038113 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.586046934 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.586061954 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.586148977 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.592330933 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.592391014 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.598385096 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.598439932 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.598444939 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.598452091 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.598494053 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.661911011 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.661983013 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.661994934 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.662045956 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.662631035 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.662688017 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.668865919 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.668926001 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.675210953 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.675259113 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.675278902 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.675292969 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.677153111 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.681525946 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.681669950 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.681684971 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.688627958 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.689850092 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.689863920 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.696017981 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.696206093 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.696288109 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.922897100 CEST	49732	443	192.168.2.5	142.250.184.238
Sep 27, 2024 17:41:14.922941923 CEST	443	49732	142.250.184.238	192.168.2.5
Sep 27, 2024 17:41:14.972039938 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:14.972145081 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:14.972256899 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:14.972995996 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:14.973028898 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.056195974 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.056247950 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.056341887 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.056592941 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.056607008 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.613584995 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.615406990 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.615439892 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.616029024 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.616209984 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.617069960 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.617136955 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.618218899 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.618357897 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.618500948 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.618509054 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.662565947 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.711210012 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.711504936 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.711534977 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.711838007 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.711891890 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.712461948 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.712507010 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.712630987 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.712682962 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.712960005 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.759397984 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.759639025 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.759685040 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.814707994 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.928852081 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.929341078 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.929399967 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.929588079 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.929615974 CEST	443	49735	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.929630041 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.929661989 CEST	49735	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.930762053 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.930802107 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:15.930869102 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.931376934 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:15.931395054 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.023045063 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.023690939 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.023747921 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.027507067 CEST	49736	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.027542114 CEST	443	49736	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.028387070 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.028453112 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.028517008 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.028897047 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.028913975 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.563093901 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.563484907 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.563519955 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.564052105 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.564130068 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.565104008 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.565165043 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.565315008 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.565399885 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.565483093 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.565490961 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.565526962 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.607403994 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.617001057 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.756623030 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.756943941 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.756980896 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.757301092 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.757369041 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.757900953 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.757966042 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.758100033 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.758152008 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.758311987 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.758332968 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.758356094 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.783097982 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.783298969 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.783366919 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.784411907 CEST	49740	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.784431934 CEST	443	49740	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.803409100 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.804207087 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.974915028 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.976208925 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:16.976273060 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.976917028 CEST	49742	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:16.976939917 CEST	443	49742	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:17.264849901 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.307415009 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566297054 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566343069 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566379070 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566379070 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.566401005 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566426039 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566430092 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.566437006 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566462040 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.566559076 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566613913 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:17.566649914 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.567534924 CEST	49715	443	192.168.2.5	142.250.184.228
Sep 27, 2024 17:41:17.567553997 CEST	443	49715	142.250.184.228	192.168.2.5
Sep 27, 2024 17:41:20.488274097 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:20.488337994 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:20.488406897 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:20.489419937 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:20.489437103 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:21.273148060 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:21.273212910 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:21.275774002 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:21.275798082 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:21.276063919 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:21.319921017 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:21.836496115 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:21.879414082 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090599060 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090625048 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090631962 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090643883 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090672016 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090671062 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.090698004 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090698957 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.090706110 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.090722084 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.090739965 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.090791941 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.091320992 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.091370106 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.091419935 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.602302074 CEST	49748	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:22.602345943 CEST	443	49748	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:22.745749950 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:22.745810986 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:22.745873928 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:22.746334076 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:22.746347904 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.378042936 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.379086018 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.379115105 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.379753113 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.380161047 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.380264044 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.380775928 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.380908966 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.380914927 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.749862909 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.751149893 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:23.755152941 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.756295919 CEST	49754	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:23.756319046 CEST	443	49754	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.120321989 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.120381117 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.120454073 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.120786905 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.120809078 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.798597097 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.798917055 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.798934937 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.799464941 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.799909115 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.799985886 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.800136089 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.800153971 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.800165892 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.979012966 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.979058027 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:45.979118109 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.979557991 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:45.979569912 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.105267048 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.107095957 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.107198954 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.107342005 CEST	49756	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.107364893 CEST	443	49756	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.228952885 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.229062080 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.229146957 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.229403019 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.229440928 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.666466951 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.666765928 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.666831017 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.667992115 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.668356895 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.668433905 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.668555975 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.668595076 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.668606997 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.875096083 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.875416994 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.875524998 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.877068996 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.877424955 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.877600908 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.877633095 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.877648115 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.877711058 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.929220915 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.992672920 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.992809057 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:46.993201971 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.993320942 CEST	49757	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:46.993349075 CEST	443	49757	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:47.126388073 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:47.127135038 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:47.127233982 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:47.127604961 CEST	49758	443	192.168.2.5	216.58.212.142
Sep 27, 2024 17:41:47.127651930 CEST	443	49758	216.58.212.142	192.168.2.5
Sep 27, 2024 17:41:59.066538095 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.066586018 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:59.066653013 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.067065954 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.067076921 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:59.839956999 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:59.840044022 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.843914986 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.843971968 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:59.844398975 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:41:59.856476068 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:41:59.899410963 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.160927057 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.160985947 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161030054 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161052942 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.161082983 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161094904 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.161138058 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.161278009 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161329985 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161364079 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.161385059 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161425114 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.161793947 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.161849976 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.166140079 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.166157007 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:00.166167974 CEST	49759	443	192.168.2.5	4.245.163.56
Sep 27, 2024 17:42:00.166173935 CEST	443	49759	4.245.163.56	192.168.2.5
Sep 27, 2024 17:42:09.004390001 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:09.004497051 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.004597902 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:09.004925966 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:09.004970074 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.876224995 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.876544952 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:09.876626015 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.877072096 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.877373934 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:09.877450943 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:09.929380894 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:15.347867966 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.347973108 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.348061085 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.348257065 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.348292112 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.985214949 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.985696077 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.985713005 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.986265898 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.986695051 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.986763000 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:15.986891985 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.986926079 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:15.986929893 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:16.391879082 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:16.392011881 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:16.392080069 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:16.395379066 CEST	49763	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:16.395400047 CEST	443	49763	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:16.559820890 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:16.559876919 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:16.559942961 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:16.560636044 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:16.560657978 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.375159025 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.388499022 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.388552904 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.388988018 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.389350891 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.389421940 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.389540911 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.389576912 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.389585018 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.681071043 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.682053089 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:17.682118893 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.682416916 CEST	49765	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:17.682452917 CEST	443	49765	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:19.777040958 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:19.777232885 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:19.777308941 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:32.944530010 CEST	49761	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:42:32.944605112 CEST	443	49761	216.58.206.68	192.168.2.5
Sep 27, 2024 17:42:46.668231010 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:46.668294907 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:46.668405056 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:46.669085979 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:46.669106960 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.425225019 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.425605059 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.425633907 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.427858114 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.428186893 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.428349972 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.428356886 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.428378105 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.428388119 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.428472042 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.477231026 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.728216887 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.729351044 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:47.729425907 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.729746103 CEST	49767	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:47.729763985 CEST	443	49767	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:48.953320980 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:48.953371048 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:48.953448057 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:48.959816933 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:48.959830999 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.676621914 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.676927090 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.676944971 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.677702904 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.678000927 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.678093910 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.678165913 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.678180933 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.678222895 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.993067026 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.993235111 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:42:49.993321896 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.993897915 CEST	49768	443	192.168.2.5	142.250.184.206
Sep 27, 2024 17:42:49.993912935 CEST	443	49768	142.250.184.206	192.168.2.5
Sep 27, 2024 17:43:09.072247982 CEST	49769	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:43:09.072299004 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.072396040 CEST	49769	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:43:09.072644949 CEST	49769	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:43:09.072655916 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.712436914 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.713010073 CEST	49769	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:43:09.713038921 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.714113951 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.714793921 CEST	49769	443	192.168.2.5	216.58.206.68
Sep 27, 2024 17:43:09.714967966 CEST	443	49769	216.58.206.68	192.168.2.5
Sep 27, 2024 17:43:09.757539034 CEST	49769	443	192.168.2.5	216.58.206.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 17:41:04.686877012 CEST	54343	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:04.687109947 CEST	61590	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:04.693877935 CEST	53	54343	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:04.694531918 CEST	53	61590	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:04.696882010 CEST	53	63605	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:04.698909998 CEST	53	65373	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:05.809922934 CEST	52296	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:05.810223103 CEST	49364	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:05.817091942 CEST	53	52296	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:05.817238092 CEST	53	49364	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:05.839056015 CEST	53	55184	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:08.945924997 CEST	58794	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:08.946063995 CEST	57314	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:08.953345060 CEST	53	58794	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:08.953830004 CEST	53	57314	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:09.078593969 CEST	53	58056	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:11.129118919 CEST	53	57596	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:13.607678890 CEST	53510	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:13.608694077 CEST	59836	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:13.617392063 CEST	53	53510	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:13.617408991 CEST	53	59836	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:14.963090897 CEST	49554	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:14.963416100 CEST	57335	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:41:14.970366955 CEST	53	49554	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:14.970396996 CEST	53	57335	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:22.801106930 CEST	53	50553	1.1.1.1	192.168.2.5
Sep 27, 2024 17:41:41.563698053 CEST	53	49770	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:03.938029051 CEST	53	59878	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:04.479021072 CEST	53	61878	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:08.996789932 CEST	57908	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:42:08.996939898 CEST	49549	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:42:09.003458023 CEST	53	57908	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:09.003658056 CEST	53	49549	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:12.783947945 CEST	53	60343	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:15.340145111 CEST	56262	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:42:15.340286970 CEST	57204	53	192.168.2.5	1.1.1.1
Sep 27, 2024 17:42:15.347212076 CEST	53	56262	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:15.347512960 CEST	53	57204	1.1.1.1	192.168.2.5
Sep 27, 2024 17:42:33.005898952 CEST	53	50878	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 17:41:04.686877012 CEST	192.168.2.5	1.1.1.1	0xe16f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:04.687109947 CEST	192.168.2.5	1.1.1.1	0x65ee	Standard query (0)	youtube.com	65	IN (0x0001)	false
Sep 27, 2024 17:41:05.809922934 CEST	192.168.2.5	1.1.1.1	0xca7a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.810223103 CEST	192.168.2.5	1.1.1.1	0xb161	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Sep 27, 2024 17:41:08.945924997 CEST	192.168.2.5	1.1.1.1	0x5ebe	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:08.946063995 CEST	192.168.2.5	1.1.1.1	0x37f	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 27, 2024 17:41:13.607678890 CEST	192.168.2.5	1.1.1.1	0xe9a9	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:13.608694077 CEST	192.168.2.5	1.1.1.1	0x8134	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Sep 27, 2024 17:41:14.963090897 CEST	192.168.2.5	1.1.1.1	0xfa58	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:14.963416100 CEST	192.168.2.5	1.1.1.1	0x2603	Standard query (0)	play.google.com	65	IN (0x0001)	false
Sep 27, 2024 17:42:08.996789932 CEST	192.168.2.5	1.1.1.1	0x9428	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:42:08.996939898 CEST	192.168.2.5	1.1.1.1	0xf22b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 27, 2024 17:42:15.340145111 CEST	192.168.2.5	1.1.1.1	0x595b	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:42:15.340286970 CEST	192.168.2.5	1.1.1.1	0x3630	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 17:41:04.693877935 CEST	1.1.1.1	192.168.2.5	0xe16f	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:04.694531918 CEST	1.1.1.1	192.168.2.5	0x65ee	No error (0)	youtube.com			65	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817091942 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817238092 CEST	1.1.1.1	192.168.2.5	0xb161	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 17:41:05.817238092 CEST	1.1.1.1	192.168.2.5	0xb161	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Sep 27, 2024 17:41:08.953345060 CEST	1.1.1.1	192.168.2.5	0x5ebe	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:08.953830004 CEST	1.1.1.1	192.168.2.5	0x37f	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 27, 2024 17:41:13.617392063 CEST	1.1.1.1	192.168.2.5	0xe9a9	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 17:41:13.617392063 CEST	1.1.1.1	192.168.2.5	0xe9a9	No error (0)	www3.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:41:13.617408991 CEST	1.1.1.1	192.168.2.5	0x8134	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 17:41:14.970366955 CEST	1.1.1.1	192.168.2.5	0xfa58	No error (0)	play.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:42:09.003458023 CEST	1.1.1.1	192.168.2.5	0x9428	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Sep 27, 2024 17:42:09.003658056 CEST	1.1.1.1	192.168.2.5	0xf22b	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 27, 2024 17:42:15.347212076 CEST	1.1.1.1	192.168.2.5	0x595b	No error (0)	play.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	142.250.185.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:05 UTC	867	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:05 UTC	1726	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Fri, 27 Sep 2024 15:41:05 GMT Date: Fri, 27 Sep 2024 15:41:05 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	142.250.186.78	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:06 UTC	885	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:06 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 27 Sep 2024 15:41:06 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Fri, 27-Sep-2024 16:11:06 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=ShXBwvvq0qg; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=8qX7qXGThxk; Domain=.youtube.com; Expires=Wed, 26-Mar-2025 15:41:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgLA%3D%3D; Domain=.youtube.com; Expires=Wed, 26-Mar-2025 15:41:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:10 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-27 15:41:10 UTC	465	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=3866 Date: Fri, 27 Sep 2024 15:41:10 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:11 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-27 15:41:11 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25961 Date: Fri, 27 Sep 2024 15:41:11 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-27 15:41:11 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49732	142.250.184.238	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:14 UTC	1252	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-268956703&timestamp=1727451672597 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:14 UTC	1979	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-XV-lPiSYV5g488cVOx5WmA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 27 Sep 2024 15:41:14 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjctDikmLw1ZBikPj6kkkDiJ3SZ7AGAXHSv_OsRUC8JOIi66HEi6yXuy-xXgdi1Z5LrKZAXCRxhbUJiIV4OGYtub2dTWDD3m83GJX0kvIL4zNTUvNKMksqU_JzEzPzkvPzszNTi4tTi8pSi-KNDIxMDCyNjPQMLOILDACpuzGT" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 58 56 2d 6c 50 69 53 59 56 35 67 34 38 38 63 56 4f 78 35 57 6d 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="XV-lPiSYV5g488cVOx5WmA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 28 2e 2a 3f 29 5c 5c 29 29 3f Data Ascii: \d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s(?:\$(.?)\$)?
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 55 69 6e 74 38 41 72 72 61 79 29 Data Ascii: number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a instanceof Uint8Array)
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d 31 5d 3b 28 66 3d 41 28 64 29 29 3f 62 2d 2d 3a 64 3d 76 6f 69 64 20 30 3b 63 3d 61 3b 69 Data Ascii: as(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-1];(f=A(d))?b--:d=void 0;c=a;i
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 21 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 46 28 64 2e 70 72 6f 74 6f Data Ascii: =Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&typeof d.prototype[a]!="function"&&F(d.proto
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 6a 60 22 2b 6b 29 3b 6b 5b 66 5d 5b 74 68 69 73 2e 67 5d 3d 6c 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 67 2e Data Ascii: h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))throw Error("j`"+k);k[f][this.g]=l;return this};g.
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 3f 6c 3d 62 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6d 3d 67 5b 30 5d 5b 6c 5d 3b 69 66 Data Ascii: his.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)?l=b.get(k):(l=""+ ++h,b.set(k,l)):l="p_"+k;var m=g[0][l];if
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2c 6a 62 3d 30 2c 6b 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 61 2e 63 61 6c 6c 2e 61 70 70 6c 79 28 61 2e 62 69 6e 64 2c 61 72 67 75 6d 65 6e 74 73 29 7d 2c Data Ascii: ar fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E9>>>0),jb=0,kb=function(a,b,c){return a.call.apply(a.bind,arguments)},
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 62 28 22 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 22 29 3b 61 3d 3d 6e 75 6c 6c 26 26 28 61 3d 27 55 6e 6b 6e 6f 77 6e 20 45 72 72 6f 72 20 6f 66 20 74 79 70 65 20 22 6e 75 6c 6c 2f 75 6e 64 65 66 69 6e 65 64 22 27 29 3b Data Ascii: (a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=hb("window.location.href");a==null&&(a='Unknown Error of type "null/undefined"');
2024-09-27 15:41:14 UTC	1979	IN	Data Raw: 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e 20 74 72 79 69 6e 67 20 74 6f 20 67 65 74 20 63 61 6c 6c 65 72 5d 5c 6e 22 29 7d 7d 65 6c 73 65 20 61 3f 63 2e 70 75 73 68 28 22 5b 2e 2e 2e 6c 6f 6e 67 20 73 74 61 63 6b 2e 2e 2e 5d 22 29 3a 63 2e 70 75 73 68 28 22 5b 65 6e 64 5d 22 29 3b 72 65 74 75 72 6e 20 63 2e 6a Data Ascii: (f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception trying to get caller]\n")}}else a?c.push("[...long stack...]"):c.push("[end]");return c.j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49735	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:15 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:15 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49736	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:15 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:16 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:15 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49740	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:16 UTC	1140	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:16 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 36 37 33 39 35 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451673958",null,null,null
2024-09-27 15:41:16 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=vt1PUWv1gtkHxwscvsnT1BkgYSCzeTH-N01kNPOlCatptWmdouaRf3wjTdTuYoGLiNwCKIfjSQ2md-WZ1eOpAAIYA4JQBulNGZoU_irLeysYyW2HliLjEBlND1qFSUjsI-_5ag4YBZ9B-2c16Eu8fPal8ZNL_luNRAlsOZqoQpnT1S7hEQ; expires=Sat, 29-Mar-2025 15:41:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 15:41:16 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49742	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:16 UTC	1140	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-27 15:41:16 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 36 37 34 30 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451674037",null,null,null
2024-09-27 15:41:16 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=RHXJVC4If9b-QCeiogG9v9JxDjwWKzDVWs0P13uxiZehPJm-wBLW4gWAb3WueSqSZ3EOE9UyBpEft63_BIS8X5IbeOl3DazO4Sb2ipSJTiy1Un3LlGeHMetebZk74_SI3ElkUDexuF4nkJhu2atlpGNgjLCrJk86OP-NBeGqm4vFwZdM_g; expires=Sat, 29-Mar-2025 15:41:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 15:41:16 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49715	142.250.184.228	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:17 UTC	1229	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=RHXJVC4If9b-QCeiogG9v9JxDjwWKzDVWs0P13uxiZehPJm-wBLW4gWAb3WueSqSZ3EOE9UyBpEft63_BIS8X5IbeOl3DazO4Sb2ipSJTiy1Un3LlGeHMetebZk74_SI3ElkUDexuF4nkJhu2atlpGNgjLCrJk86OP-NBeGqm4vFwZdM_g
2024-09-27 15:41:17 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Fri, 27 Sep 2024 15:13:32 GMT Expires: Sat, 05 Oct 2024 15:13:32 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1665 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-27 15:41:17 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-27 15:41:17 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-27 15:41:17 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-27 15:41:17 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-27 15:41:17 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49748	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Fkdu+bNZOm46ZGH&MD=vvCwg5c6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-27 15:41:22 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 7033f443-bc5f-4ced-b5b1-06dd15ad270e MS-RequestId: 38e10f4b-2722-44f8-8d3d-68d926d3c2ba MS-CV: EPGh3Z40AEaGS5js.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 27 Sep 2024 15:41:20 GMT Connection: close Content-Length: 24490
2024-09-27 15:41:22 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-27 15:41:22 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49754	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:23 UTC	1314	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=RHXJVC4If9b-QCeiogG9v9JxDjwWKzDVWs0P13uxiZehPJm-wBLW4gWAb3WueSqSZ3EOE9UyBpEft63_BIS8X5IbeOl3DazO4Sb2ipSJTiy1Un3LlGeHMetebZk74_SI3ElkUDexuF4nkJhu2atlpGNgjLCrJk86OP-NBeGqm4vFwZdM_g
2024-09-27 15:41:23 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 34 35 31 36 37 31 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727451671000",null,null,null,
2024-09-27 15:41:23 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ; expires=Sat, 29-Mar-2025 15:41:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:23 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 27 Sep 2024 15:41:23 GMT Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:23 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49756	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:45 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1424 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:41:45 UTC	1424	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 30 34 31 31 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451704117",null,null,null
2024-09-27 15:41:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:45 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49757	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:46 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1244 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:41:46 UTC	1244	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 30 35 32 32 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451705226",null,null,null
2024-09-27 15:41:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49758	216.58.212.142	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:46 UTC	1305	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1037 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:41:46 UTC	1037	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-09-27 15:41:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:41:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:41:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:41:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49759	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:41:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Fkdu+bNZOm46ZGH&MD=vvCwg5c6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-27 15:42:00 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 778e7c7f-2c24-4fd5-98f7-56ee575de46e MS-RequestId: 5b2894fc-55b5-4b53-86c7-720e2e9d0106 MS-CV: wS00ZDo9JEOM4Gk4.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 27 Sep 2024 15:41:59 GMT Connection: close Content-Length: 30005
2024-09-27 15:42:00 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-27 15:42:00 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49763	142.250.184.206	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:42:15 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1342 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:42:15 UTC	1342	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 33 34 33 34 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451734343",null,null,null
2024-09-27 15:42:16 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:42:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:42:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:42:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49765	142.250.184.206	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:42:17 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1496 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:42:17 UTC	1496	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 33 35 35 36 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451735563",null,null,null
2024-09-27 15:42:17 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:42:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:42:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:42:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49767	142.250.184.206	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:42:47 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1452 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:42:47 UTC	1452	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 36 35 36 37 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451765671",null,null,null
2024-09-27 15:42:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:42:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:42:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:42:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49768	142.250.184.206	443	6048	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 15:42:49 UTC	1345	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1435 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=517=2Bxt3yVNsUaUaonxJf1gizas41c-F9GwrZEWZILJ3cC7MO0U-jYj3_AOXk811A8Kya35bdnMFj14nmNUvOaN-zTHT7XXU0F3I2fXHBtIKK140PGJ09gvnxMGZTtxPe479SgC542oDo-maZkCr9D_T3NRMXmJt9Fm3Ry_sBtqWv4AfTk3jd-NAcG9fQ
2024-09-27 15:42:49 UTC	1435	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 34 35 31 37 36 37 39 32 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727451767928",null,null,null
2024-09-27 15:42:49 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Fri, 27 Sep 2024 15:42:49 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-27 15:42:49 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-27 15:42:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:41:02
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x530000
File size:	1'167'360 bytes
MD5 hash:	0CDC96575612C0492C5137E300D18CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:41:02
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:41:02
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:41:13
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5736 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:41:14
Start date:	27/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1864,i,6041840047849572020,8972894644726327820,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	1529
Total number of Limit Nodes:	43

Executed Functions

Function 005342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0053430D

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

GetCurrentProcess.KERNEL32(?,005CCB64,00000000,?,?), ref: 00534422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00534429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00534454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00534466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00534474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0053447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005344A0

Strings

|O, xrefs: 005736F8
GetNativeSystemInfo, xrefs: 00534460
kernel32.dll, xrefs: 0053444F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 56c5cd0210817e9c6806131cb773fc3fd3aaacbd7ca189a03e499c6629f6f547
Instruction ID: 6e4666321a6d9dc7cb8878e5369272afa4703f18deaccf1cc1199efb98f74a45
Opcode Fuzzy Hash: 56c5cd0210817e9c6806131cb773fc3fd3aaacbd7ca189a03e499c6629f6f547
Instruction Fuzzy Hash: CFA1B86198A6D0DFCB1DC7697C815977FA67B37310F08BCA9D0859FA22D2305608EF61

Function 005342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005350AA,?,?,00000000,00000000), ref: 005342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005350AA,?,?,00000000,00000000), ref: 005342C9
LoadResource.KERNEL32(?,00000000,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20), ref: 005735BE
SizeofResource.KERNEL32(?,00000000,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20), ref: 005735D3
LockResource.KERNEL32(005350AA,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20,?), ref: 005735E6

Strings

SCRIPT, xrefs: 005342BF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f522642230a2d32bfcb683955647ad1dcfdb6c135c5a68f7a210e4352d726c21
Instruction ID: 80eb459e0a8e83167533488a86a0623494ad4cc0013d0de9cd616d85b61b8363
Opcode Fuzzy Hash: f522642230a2d32bfcb683955647ad1dcfdb6c135c5a68f7a210e4352d726c21
Instruction Fuzzy Hash: 59117C78200700BFD7218BA6DC48F277FBDFBD6B51F148169F41696650DB71EC04AA20

Function 00572BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00532B6B

Part of subcall function 00533A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00601418,?,00532E7F,?,?,?,00000000), ref: 00533A78

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005F2224), ref: 00572C10
ShellExecuteW.SHELL32(00000000,?,?,005F2224), ref: 00572C17

Strings

runas, xrefs: 00572C0B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b3a133aafecb1ab35e5d1045e802f4b1d61e27afa4186d9401528200bae31d91
Instruction ID: ec8c626bde24c8af4cf7d7787e4022afcf2f4282d6479b0c06316f4b8576536a
Opcode Fuzzy Hash: b3a133aafecb1ab35e5d1045e802f4b1d61e27afa4186d9401528200bae31d91
Instruction Fuzzy Hash: 4511D3712487466AC709FF60D869DBEBFA5BBE1340F04582DF186160B2DF618A0AD712

Function 0059DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00575222), ref: 0059DBCE
GetFileAttributesW.KERNEL32(?), ref: 0059DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0059DBEE
FindClose.KERNEL32(00000000), ref: 0059DBFA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e19bb763b5ca37efb9224b3547f669d8a8f571e4949479e042447d7469d94bbb
Instruction ID: 508186b1cebb55f3dab201a3b18cf360b39a78c453abd91144dd50bff3d04cd3
Opcode Fuzzy Hash: e19bb763b5ca37efb9224b3547f669d8a8f571e4949479e042447d7469d94bbb
Instruction Fuzzy Hash: C8F0A0308109105B8A206B78EC0D8AA7F7CAF41334B144702F87AC20E0EBB05D59DAA5

Function 0053BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#`, xrefs: 005807CE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#`
API String ID: 3964851224-1487644539
Opcode ID: 42ff84a2cf37fb3be7697387c6365720e6672cc97c6d6a80c821e72577bf8152
Instruction ID: e55ee0b1a0a861a94b7c6c0beac17b2617171e68de58856b7d3b498ef884d6f9
Opcode Fuzzy Hash: 42ff84a2cf37fb3be7697387c6365720e6672cc97c6d6a80c821e72577bf8152
Instruction Fuzzy Hash: EAA279746083418FC754DF28C484B6ABFE1BF89304F14996DE89AAB392D771EC45CB92

Function 0053D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0053D807
timeGetTime.WINMM ref: 0053DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0053DB28
TranslateMessage.USER32(?), ref: 0053DB7B
DispatchMessageW.USER32(?), ref: 0053DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0053DB9F
Sleep.KERNEL32(0000000A), ref: 0053DBB1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 8269492ed9fa6de89f6e0f06b0b24402ca446fe426ba04f207903ce6a0dbae52
Instruction ID: 2a7148632e4d29e42465a1c364175dfd9f55da337b23518ee7c22e5bdbdc94ad
Opcode Fuzzy Hash: 8269492ed9fa6de89f6e0f06b0b24402ca446fe426ba04f207903ce6a0dbae52
Instruction Fuzzy Hash: 4E42F030608642DFD728DF24D898BAABFF5FF85304F14895DE85697291D770E844CBA2

Function 00532CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00532D07
RegisterClassExW.USER32(00000030), ref: 00532D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00532D42
InitCommonControlsEx.COMCTL32(?), ref: 00532D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00532D6F
LoadIconW.USER32(000000A9), ref: 00532D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00532D94

Strings

+, xrefs: 00532CF0
TaskbarCreated, xrefs: 00532D37
0, xrefs: 00532CE9
AutoIt v3 GUI, xrefs: 00532D23

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c23e687e0ef8c20bb7ee4b5e913a9b52484c5e59a6974a37a5f4a9872e0e1202
Instruction ID: a33495a5698e3009cdfa7a206c43db9bbe7f6d980a92dedd8b907cab0a16f3db
Opcode Fuzzy Hash: c23e687e0ef8c20bb7ee4b5e913a9b52484c5e59a6974a37a5f4a9872e0e1202
Instruction Fuzzy Hash: 6F21EFB5D41308AFDB00DFA4E889BDEBFB5FB09701F00911AF615AA2A0D7B105449F90

Function 0057065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0057039A: CreateFileW.KERNEL32(00000000,00000000,?,00570704,?,?,00000000,?,00570704,00000000,0000000C), ref: 005703B7

GetLastError.KERNEL32 ref: 0057076F
__dosmaperr.LIBCMT ref: 00570776
GetFileType.KERNEL32(00000000), ref: 00570782
GetLastError.KERNEL32 ref: 0057078C
__dosmaperr.LIBCMT ref: 00570795
CloseHandle.KERNEL32(00000000), ref: 005707B5
CloseHandle.KERNEL32(?), ref: 005708FF
GetLastError.KERNEL32 ref: 00570931
__dosmaperr.LIBCMT ref: 00570938

Strings

H, xrefs: 005708BD

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 75e33d5d781cdb9423463c3e69244e7282a7cbbaf2439210a30ddb9544787a98
Instruction ID: cd587211139cf4fbd567b8340ef2de89dfbd87174675c45b0664cad5881d6eac
Opcode Fuzzy Hash: 75e33d5d781cdb9423463c3e69244e7282a7cbbaf2439210a30ddb9544787a98
Instruction Fuzzy Hash: ABA14532A001498FDF19AF68EC55BAE3FE1FB46320F14915DF8199B2D1DB309816EB91

Function 0053344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00533A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00601418,?,00532E7F,?,?,?,00000000), ref: 00533A78

Part of subcall function 00533357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00533379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0053356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0057318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005731CE
RegCloseKey.ADVAPI32(?), ref: 00573210
_wcslen.LIBCMT ref: 00573277
_wcslen.LIBCMT ref: 00573286

Strings

\Include\, xrefs: 00533527
Software\AutoIt v3\AutoIt, xrefs: 00533560
Include, xrefs: 00573184, 005731C5
\, xrefs: 0057328C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 11de60ab6af122854c9c2d607fdcc1276fcc99c21bed3087341111e81558d8b9
Instruction ID: 82d6f389a8f95fce620109dc07263f99f2a1ef247fee349b8e454b4570067529
Opcode Fuzzy Hash: 11de60ab6af122854c9c2d607fdcc1276fcc99c21bed3087341111e81558d8b9
Instruction Fuzzy Hash: 0771C3714443029EC318DF65ECA999BBFE8FFC4750F40582EF589931A1EB749A48CB51

Function 00532B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00532B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00532B9D
LoadIconW.USER32(00000063), ref: 00532BB3
LoadIconW.USER32(000000A4), ref: 00532BC5
LoadIconW.USER32(000000A2), ref: 00532BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00532BEF
RegisterClassExW.USER32(?), ref: 00532C40

Part of subcall function 00532CD4: GetSysColorBrush.USER32(0000000F), ref: 00532D07
Part of subcall function 00532CD4: RegisterClassExW.USER32(00000030), ref: 00532D31
Part of subcall function 00532CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00532D42
Part of subcall function 00532CD4: InitCommonControlsEx.COMCTL32(?), ref: 00532D5F
Part of subcall function 00532CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00532D6F
Part of subcall function 00532CD4: LoadIconW.USER32(000000A9), ref: 00532D85
Part of subcall function 00532CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00532D94

Strings

0, xrefs: 00532C0F
#, xrefs: 00532C16
AutoIt v3, xrefs: 00532C2F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 872eef3d7e78065dee7e2e75880c20d95577fd0c7956b27b8dc1c9c341dcc80f
Instruction ID: 5003620366ac1d93d798c61d87e00b5a50d0de2c919319b430c784d91288d05a
Opcode Fuzzy Hash: 872eef3d7e78065dee7e2e75880c20d95577fd0c7956b27b8dc1c9c341dcc80f
Instruction Fuzzy Hash: C6215070E40314AFDB149F95EC45B9E7FF6FB49B50F04101AF504AA6A0D3B10A44DF90

Function 0053B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053BB4E

Strings

x#`, xrefs: 00580168
x#`, xrefs: 00580207
p#`, xrefs: 0053BB6B
p#`, xrefs: 00580263
p%`, xrefs: 0053BB32
p#`, xrefs: 0053BA72
p#`, xrefs: 0058024F
p%`, xrefs: 0053B8DC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#`$p#`$p#`$p#`$p%`$p%`$x#`$x#`
API String ID: 1385522511-2312716534
Opcode ID: e5af56d9e7a6a4fc42047298c3259b7b8e32dfd2c8fdd20b56f0c2ca58cd8545
Instruction ID: 959e273689525dc1029f72e0951c5980c08f9990f49892a39206d5008bb7bb77
Opcode Fuzzy Hash: e5af56d9e7a6a4fc42047298c3259b7b8e32dfd2c8fdd20b56f0c2ca58cd8545
Instruction Fuzzy Hash: 7A32AC35A0020ADFEB24DF58C898BBABFB6FF44314F148459EE05AB291C774AD45CB91

Function 00533170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0053316A,?,?), ref: 005331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0053316A,?,?), ref: 00533204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00533227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0053316A,?,?), ref: 00533232
CreatePopupMenu.USER32 ref: 00533246
PostQuitMessage.USER32(00000000), ref: 00533267

Strings

TaskbarCreated, xrefs: 0053322D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8840c75d534b17bf3367bbe5b112bc3dc7a51cbef96f4f751b1acdacf9c0fb69
Instruction ID: e5d96b379a4ee8b9cf3548cd448a21870316a23b39128dbad760457532c6d67e
Opcode Fuzzy Hash: 8840c75d534b17bf3367bbe5b112bc3dc7a51cbef96f4f751b1acdacf9c0fb69
Instruction Fuzzy Hash: B0413335680205AFDB281B78DC1DB7F3F5AFB46300F044129F90B8A2A1CB608E41E7A1

Function 00532C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00532C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00532CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00531CAD,?), ref: 00532CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00531CAD,?), ref: 00532CCF

Strings

edit, xrefs: 00532CAC
AutoIt v3, xrefs: 00532C89, 00532C8E, 00532C8F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 209ec1151fddd999cb6f9000259831b6b89b71fe091bf72ab3733705c185988a
Instruction ID: db6a0c9ff9def413e1a1659b55ed85062f2ad00097ecab1f1142495c09583df3
Opcode Fuzzy Hash: 209ec1151fddd999cb6f9000259831b6b89b71fe091bf72ab3733705c185988a
Instruction Fuzzy Hash: 7DF0DA755803907FEB351717AC08E772EBEE7C7F50B00205EF904EA5A0C6B11855DAB0

Function 005BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005BAEA3

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

GetProcessId.KERNEL32(00000000), ref: 005BAF38
CloseHandle.KERNEL32(00000000), ref: 005BAF67

Strings

@, xrefs: 005BAE72
<, xrefs: 005BAE6B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e6cff8a617dc1bf5f2dffa07a176c573120a4e6590bdc50fb16ac360d80870e6
Instruction ID: dc1895ce9b1d66fe7c832bde8d4c660a10c2a33a0a51be8fda2752a8d24f8bc0
Opcode Fuzzy Hash: e6cff8a617dc1bf5f2dffa07a176c573120a4e6590bdc50fb16ac360d80870e6
Instruction Fuzzy Hash: 9C717775A0061ADFCB14DF64C488A9EBFF4BF48310F048499E856AB3A2DB74ED45CB91

Function 0059E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0059E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0059E9A5
Sleep.KERNEL32(00000000), ref: 0059E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0059E9B7
Sleep.KERNEL32 ref: 0059E9F3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d1c0a98d4f609bdafbc930ec84a8101242ea5efa2438421a9e3e8c3c353627b4
Instruction ID: 932437724addeb99383f68e157d49883d10726b3813d8a9d6c481e93cc721574
Opcode Fuzzy Hash: d1c0a98d4f609bdafbc930ec84a8101242ea5efa2438421a9e3e8c3c353627b4
Instruction Fuzzy Hash: E3015331C01A29DBCF00EBE5DC5AAEDBF78FB18300F050946E902B2241CB309A58DBA1

Function 00533B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B83

Strings

Control Panel\Mouse, xrefs: 00533B3E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5335ec57fe72bf96a4b49e4776c536526e516a66ee6eb675f8f877ff24c40eca
Instruction ID: 2e10c05baff8eedf6e2b2fe2da7de9e879c4812f4cf2a15bdca2c703a1cf6943
Opcode Fuzzy Hash: 5335ec57fe72bf96a4b49e4776c536526e516a66ee6eb675f8f877ff24c40eca
Instruction Fuzzy Hash: 91112AB5510208FFDB218FA5DC58EAEBBB8FF04744F104859E805E7110E2319E44A760

Function 00533923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005733A2

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00533A04

Strings

Line: , xrefs: 005733EB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 26328d5b50d7b5f62a5e8b410b79c43d551786b4dd42cc4501d8386e915e356f
Instruction ID: a73d82a853b9eb1fcd26a02786141ebe1f0377d4802812156e659eda1b810c49
Opcode Fuzzy Hash: 26328d5b50d7b5f62a5e8b410b79c43d551786b4dd42cc4501d8386e915e356f
Instruction Fuzzy Hash: 8E31D471448305ABC725EB20DC49BEBBBD8BB81710F10892EF59987091EB749A48C7C2

Function 00532DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00572C8C

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 00532DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00532DC4

Strings

X, xrefs: 00572C5A
`e_, xrefs: 00572C85

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e_
API String ID: 779396738-1251496921
Opcode ID: c936c0ff457254d9075cd5c9eb9a7d36e0fbb4eb8626390d62362e6f199f4e76
Instruction ID: 0d74d839585bd5094bbedddecc3b95725d8ac7a13e9f0b9319375bfdbae10f7e
Opcode Fuzzy Hash: c936c0ff457254d9075cd5c9eb9a7d36e0fbb4eb8626390d62362e6f199f4e76
Instruction Fuzzy Hash: 2F218171A00258AFCB01AF94D849BEE7FFCBF89304F008059E509A7241DBB85A499FA1

Function 0054FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00550668

Part of subcall function 005532A4: RaiseException.KERNEL32(?,?,?,0055068A,?,00601444,?,?,?,?,?,?,0055068A,00531129,005F8738,00531129), ref: 00553304

__CxxThrowException@8.LIBVCRUNTIME ref: 00550685

Strings

Unknown exception, xrefs: 00550692

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f4449833a1bcc1c8b7575d6069ff1e91ee9f4c7d6545a3e40a4a36f3df82c4e2
Instruction ID: 62b118057f8fea4f57b26609c2b6f4e0e00973c69a8c83a8c5609caf074bfe6f
Opcode Fuzzy Hash: f4449833a1bcc1c8b7575d6069ff1e91ee9f4c7d6545a3e40a4a36f3df82c4e2
Instruction Fuzzy Hash: 04F0283490020E77CF00B6A8D86ECAD7F6C7E80355B604432BD14C58D1EF71DA6DCA80

Function 005310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00531BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00531BF4
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00531BFC
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00531C07
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00531C12
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00531C1A
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00531C22

Part of subcall function 00531B4A: RegisterWindowMessageW.USER32(00000004,?,005312C4), ref: 00531BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0053136A
OleInitialize.OLE32 ref: 00531388
CloseHandle.KERNEL32(00000000,00000000), ref: 005724AB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1b603769cf9afc0d4208183e84221c5f2390ed45b81c6759833f69c9ebfd29ad
Instruction ID: 5518d19fc1f049ec5803fc888f3f02440dcbf0918c799ccaee6d9449d28ce8d9
Opcode Fuzzy Hash: 1b603769cf9afc0d4208183e84221c5f2390ed45b81c6759833f69c9ebfd29ad
Instruction Fuzzy Hash: 4C719AF49912018FC38ADF79AC596573FE2FB8A344B54A22EE04ADF2B1EB3045018F54

Function 0059C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00533923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00533A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0059C259
KillTimer.USER32(?,00000001,?,?), ref: 0059C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0059C270

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ab00db4fffe3665d1145e824427cdbb24067958e6f8e395530a4fada804bf12e
Instruction ID: e9f02eb6a6425f0a71372ec2ecbf978864637cffd8e58bc0565e049930755e53
Opcode Fuzzy Hash: ab00db4fffe3665d1145e824427cdbb24067958e6f8e395530a4fada804bf12e
Instruction Fuzzy Hash: A231C374904384AFEF228F648895BEBBFEDAB17308F00449ED5DE97241C3745A88CB51

Function 005686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,005685CC,?,005F8CC8,0000000C), ref: 00568704
GetLastError.KERNEL32(?,005685CC,?,005F8CC8,0000000C), ref: 0056870E
__dosmaperr.LIBCMT ref: 00568739

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f49674fce78b9f474046152a840c2f3451bd48e34ca3f1bea7cb2c26f16cf41b
Instruction ID: d1f6b4cd4f98aaead833917eb7e9a46891023a92ac578acec07a86a4741a56ca
Opcode Fuzzy Hash: f49674fce78b9f474046152a840c2f3451bd48e34ca3f1bea7cb2c26f16cf41b
Instruction Fuzzy Hash: B3014E327456601AD7346734E849B7E6F49BBE1BB4F390719F9188B2D2EEA1CC819250

Function 0053DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0053DB7B
DispatchMessageW.USER32(?), ref: 0053DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0053DB9F
Sleep.KERNEL32(0000000A), ref: 0053DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00581CC9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 04ae6dab372ddc15b7f71fb8a90cdf61665260660029357f9fe3d6c1ed6fdbac
Instruction ID: d079e27e54712b0a282bd4789d946647eeb1181b8817f75a0873a6e23b602fcd
Opcode Fuzzy Hash: 04ae6dab372ddc15b7f71fb8a90cdf61665260660029357f9fe3d6c1ed6fdbac
Instruction Fuzzy Hash: EAF05E306447409BEB30DB60DC99FEA7BBDFB85310F104919E64A970C0DB30A4489F25

Function 00541310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005417F6

Strings

CALL, xrefs: 005417C6

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 2e0ab93b73af8889233a0913d46ac9e515ff15a2d6ab881d753dc4ba935ab465
Instruction ID: 2475ca78ffef3943cce0df34c2ab688493591d6e3ec486e15219978122d30cff
Opcode Fuzzy Hash: 2e0ab93b73af8889233a0913d46ac9e515ff15a2d6ab881d753dc4ba935ab465
Instruction Fuzzy Hash: 86227B706086029FC714DF14C498AAABFF1BF85318F14891DF8969B3A2D771E885CB96

Function 00533837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00533908

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 15d3314f95e1bf4eae8334f540c0d738c39339479dc37ce75de0a7f31a85f887
Instruction ID: 88762ccdd2b1f6d0218e6482a20b8b6e232f681309ce7f96c602874010a76208
Opcode Fuzzy Hash: 15d3314f95e1bf4eae8334f540c0d738c39339479dc37ce75de0a7f31a85f887
Instruction Fuzzy Hash: B431A270505701DFD720DF24D88479BBFE8FB49709F00092EF59997280E771AA48CB92

Function 0054F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0054F661

Part of subcall function 0053D730: GetInputState.USER32 ref: 0053D807

Sleep.KERNEL32(00000000), ref: 0058F2DE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: daf43e73628dd96cd2afdd3be80bd537c6d66161d0d8539767e3570e072c8e91
Instruction ID: 964d00e200bd6417d7a588124909774480eed3b4e1fb8779f8d40a90a417af5f
Opcode Fuzzy Hash: daf43e73628dd96cd2afdd3be80bd537c6d66161d0d8539767e3570e072c8e91
Instruction Fuzzy Hash: 9CF01C352406069FD314EF69D849F6ABFF8FF99761F004029E95ED7261EB70A804CB91

Function 005B58A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005B5930

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 90f7f77df0e018f52763c073c9f35d8f0bf3d88a8ba089fc9a6a5ac0972a7c58
Instruction ID: 9d85c5abf9f00d5aa7e929aee80e6ff0adb5389df6df3f97f085a9db05eaf60e
Opcode Fuzzy Hash: 90f7f77df0e018f52763c073c9f35d8f0bf3d88a8ba089fc9a6a5ac0972a7c58
Instruction Fuzzy Hash: 1C718C30600615AFCB28DF54C885EFABBB5FF58304F108569F955AB291E771BD81CB90

Function 005C2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 005C2649

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ab0904773914022d0e251f6dcb7bf2bc2de0444b2247f28d14b72284ed74ff6e
Instruction ID: 913358e9f4f5834b5f0462101698dc6171b784a5b47cd16d0d3a58454c716d7d
Opcode Fuzzy Hash: ab0904773914022d0e251f6dcb7bf2bc2de0444b2247f28d14b72284ed74ff6e
Instruction Fuzzy Hash: 7721B374200616AFD710DF58C890E36BF99FB44368F14845CE8568B392CB71ED81CB90

Function 005C13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 005C1420

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 9616413ee4fe37a4ef3b665486c06fdbf24d50c424fa5a6c7406a9ee87cf593b
Instruction ID: c87fc9996b6680d69cea08e727aee1c90087b94c45fa45d948cb3b536484b0ec
Opcode Fuzzy Hash: 9616413ee4fe37a4ef3b665486c06fdbf24d50c424fa5a6c7406a9ee87cf593b
Instruction Fuzzy Hash: E8315C30604603AFDB18EF69C495F69BBA2FF85328F14856CE8164B292DB71EC51CB94

Function 00534ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00534E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E9C
Part of subcall function 00534E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00534EAE
Part of subcall function 00534E90: FreeLibrary.KERNEL32(00000000,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EFD

Part of subcall function 00534E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E62
Part of subcall function 00534E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00534E74
Part of subcall function 00534E59: FreeLibrary.KERNEL32(00000000,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E87

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4660e3e7560bead4446a15b139a2f0464ce07b3ca2c0632a2ef5404e6d2819b5
Instruction ID: 828ea8b83a10d2d860f678fd82bf4cb699dcdbfce052e73c37d9874900fb7e84
Opcode Fuzzy Hash: 4660e3e7560bead4446a15b139a2f0464ce07b3ca2c0632a2ef5404e6d2819b5
Instruction Fuzzy Hash: 5A112731600306AACF15ABA4DC0AFAD7FA9BF80710F14842DF442A62C1EE70AE05AF50

Function 00568402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00568440

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7e12258bd9611352c47c3904ab543ae59fc268ab57987d1c13ce91f81e172ad6
Instruction ID: 06c7b5381f99c43cb92eb2af9897f6df345e6eafab3cb93a2d282fb875204a7a
Opcode Fuzzy Hash: 7e12258bd9611352c47c3904ab543ae59fc268ab57987d1c13ce91f81e172ad6
Instruction Fuzzy Hash: 8E11487190410AAFCF15DF58E940AAA7BF5FF48304F104199F808AB312DB31DA11CBA4

Function 00565000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00564C7D: RtlAllocateHeap.NTDLL(00000008,00531129,00000000,?,00562E29,00000001,00000364,?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?), ref: 00564CBE

_free.LIBCMT ref: 0056506C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 4a639a223ce5741d3d4cdf37194d186ac661e357093ad6eaaa723a39a5edba88
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: AB0126722447056BE3318F65D889A5AFFE8FBC9370F65051DE18483280EA30A845C6B4

Function 005C29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,005C14B5,?), ref: 005C2A01

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 36655f576a5a055a44db4088f06bd6a3c6ee9cf0c3f945c43cd02d63dae31d25
Instruction ID: 5afb2deea4dbe611c1ed065ef01dbab6ad62c9c4e2b58f3749cca92d784dc7c5
Opcode Fuzzy Hash: 36655f576a5a055a44db4088f06bd6a3c6ee9cf0c3f945c43cd02d63dae31d25
Instruction Fuzzy Hash: 1501B536300A42AFD324CAADC854F223F92FBC5314F69846CC04B8B251DB72EC82CB90

Function 0055E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 59005984572fff2bc5c27c1a9ca67408d7a7a83b3b503f0181b413e30046d80f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 06F0F932510A119AC7353A65AC2EB5A3F99BFD23B3F100B17FC25931D1CB70D90A86A5

Function 005C149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 005C14EB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 6628c4fe11dd38f0a8107297bfab85bc272fc777a45038db81f6453c78f20396
Instruction ID: 3dfd8e16f9a594c0b4c2db49bc7bfcfa2984cb70fed0a067df76fc4a2ac8eb02
Opcode Fuzzy Hash: 6628c4fe11dd38f0a8107297bfab85bc272fc777a45038db81f6453c78f20396
Instruction Fuzzy Hash: CA01D435304A419F9B24DFA9C480E26BF95FF86364754809DE84A8B743D672DD82CB84

Function 00564C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00531129,00000000,?,00562E29,00000001,00000364,?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?), ref: 00564CBE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3dd7888f6e3b48c4531692e69e9df84dd5851a1fb1aca427cdc8fd1205f21999
Instruction ID: 8545a6ecbb120ff1387cb78f452a7b041a256101ae1899d9a53bf91b83fdd2f1
Opcode Fuzzy Hash: 3dd7888f6e3b48c4531692e69e9df84dd5851a1fb1aca427cdc8fd1205f21999
Instruction Fuzzy Hash: 90F0E93160262567FB215F669C09F5B3F89BFC17A1B144122FC19EB781CA30DC019EE0

Function 00563820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3e8c5b7e8aa3ad1fac7a7d7fb25e2eb2c7f95973e30171a9baa50fb2f8e2cfd6
Instruction ID: a810d3d73900a656d6437a9862730166bb0ad01b123ed477ec4e8ac512e347c4
Opcode Fuzzy Hash: 3e8c5b7e8aa3ad1fac7a7d7fb25e2eb2c7f95973e30171a9baa50fb2f8e2cfd6
Instruction Fuzzy Hash: D6E0ED31102225AAE7212AA7DC29BDB3E49BF827B1F090122BC0597981CB20DE0287E1

Function 00534F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534F6D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e29bdbc54739d17583c8a90db58aa3e09be2f90185a007ec1b2769a0ef892227
Instruction ID: a204191f33d8a29f4c8e7478f1117c1c6123efedf1b05b4d322b8cdbaf742e70
Opcode Fuzzy Hash: e29bdbc54739d17583c8a90db58aa3e09be2f90185a007ec1b2769a0ef892227
Instruction Fuzzy Hash: 46F01C71105752CFDB349F65D494812BFE4BF1431971889AEE1DA82611C731A848DF50

Function 005C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005C2A66

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 3427d697bc149dea9426de2f8152477618d5176937513d67f33d460b6b1b6163
Instruction ID: f8ee1af4d69297105b656f6d7d976201bb1e9e58eea4a41a49bc6760ad594e86
Opcode Fuzzy Hash: 3427d697bc149dea9426de2f8152477618d5176937513d67f33d460b6b1b6163
Instruction Fuzzy Hash: 21E0DF32350116AECB10EB74DC84EFE7F4CFB90390F00443AEC1AC2100DB34898596E0

Function 00532DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00532DC4

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8da805589d3aab65a48023b99c8c9fe42b2084c2017d59582bb8b5e829f3cf60
Instruction ID: 25fe72b4cef41877e076734ad1989071590254a09b8b8a8077021cf5dc9137f6
Opcode Fuzzy Hash: 8da805589d3aab65a48023b99c8c9fe42b2084c2017d59582bb8b5e829f3cf60
Instruction Fuzzy Hash: FAE0CD76A001245BC71092589C09FDA7BDDEFC8790F044075FD0DD7248D960AD84C650

Function 00532B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00533837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00533908

Part of subcall function 0053D730: GetInputState.USER32 ref: 0053D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00532B6B

Part of subcall function 005330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0053314E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 059ec2491585c7dc0da2249bdfaf5a9a9c912262c2472617f19a7ff62f1b760c
Instruction ID: 50ff3c3ab68551fff2ff479b787cf91319316baae697cab1ad374f3fd14197d3
Opcode Fuzzy Hash: 059ec2491585c7dc0da2249bdfaf5a9a9c912262c2472617f19a7ff62f1b760c
Instruction Fuzzy Hash: 3DE0863170424606C708BB74A85A5AEEF9ABBE2351F40193EF146471A2CF6546494261

Function 00593D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00593D18

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: f92297cd2a83a1d87f65cc07ea5546432da6b655d0e75fcad99fbfdc2696060f
Instruction ID: 773e416938c7b8080c958d4dd2a5536db06b94fa64174c204f55d1be34494d95
Opcode Fuzzy Hash: f92297cd2a83a1d87f65cc07ea5546432da6b655d0e75fcad99fbfdc2696060f
Instruction Fuzzy Hash: DCD08CF0AA03087EFB0083718D0BEBB37ACC326E85F004BA4BE02D64C1D9A0DE080230

Function 0057039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00570704,?,?,00000000,?,00570704,00000000,0000000C), ref: 005703B7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb3af69c495824ee51eb46c5990f5a659be68665483b9985d8ca56c66d50df7f
Instruction ID: cb2dc5d94b29eed45b440059c493faab4edd1bda38a07ebc83ac2c497e8491c9
Opcode Fuzzy Hash: cb3af69c495824ee51eb46c5990f5a659be68665483b9985d8ca56c66d50df7f
Instruction Fuzzy Hash: 08D06C3204010DBFDF028F85DD06EDA3FAAFB48714F014000FE1856020C736E821EB90

Function 00531CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00531CBC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e45c569dc7f00e4046e18638d7643bda891d77b2d50891da5e103270f1cd461c
Instruction ID: ebd8e00b703ecad3123148afaf5f59faa9d27f001141d9adf2e645fce0868d79
Opcode Fuzzy Hash: e45c569dc7f00e4046e18638d7643bda891d77b2d50891da5e103270f1cd461c
Instruction Fuzzy Hash: 26C0923A2C0305AFF3198B80BC5EF127B66E758B00F04A001F60DA95E3C3A22821EA54

Non-executed Functions

Function 005C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005C96C9
SendMessageW.USER32 ref: 005C96F2
GetKeyState.USER32(00000011), ref: 005C978B
GetKeyState.USER32(00000009), ref: 005C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005C97AE
GetKeyState.USER32(00000010), ref: 005C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005C97E9
SendMessageW.USER32 ref: 005C9810
SendMessageW.USER32(?,00001030,?,005C7E95), ref: 005C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005C9941
SetCapture.USER32(?), ref: 005C994A
ClientToScreen.USER32(?,?), ref: 005C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005C99D6
ReleaseCapture.USER32 ref: 005C99E1
GetCursorPos.USER32(?), ref: 005C9A19
ScreenToClient.USER32(?,?), ref: 005C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005C9A80
SendMessageW.USER32 ref: 005C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005C9AEB
SendMessageW.USER32 ref: 005C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005C9B4A
GetCursorPos.USER32(?), ref: 005C9B68
ScreenToClient.USER32(?,?), ref: 005C9B75
GetParent.USER32(?), ref: 005C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005C9BFA
SendMessageW.USER32 ref: 005C9C2B
ClientToScreen.USER32(?,?), ref: 005C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005C9CDE
SendMessageW.USER32 ref: 005C9D01
ClientToScreen.USER32(?,?), ref: 005C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005C9D82

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

GetWindowLongW.USER32(?,000000F0), ref: 005C9E05

Strings

@GUI_DRAGID, xrefs: 005C997D
p#`, xrefs: 005C9990
F, xrefs: 005C9D07

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#`
API String ID: 3429851547-2797331669
Opcode ID: bd6fa083a9a3f31a5c8f3406990e40630691784a5e90b4507027b8a0729b2ba5
Instruction ID: 1c6632e07adaffee7d99af84c9a874457fa0e676f069c14a1704c822c5ead45d
Opcode Fuzzy Hash: bd6fa083a9a3f31a5c8f3406990e40630691784a5e90b4507027b8a0729b2ba5
Instruction Fuzzy Hash: EE427D34204241AFDB24CFA8CC48FAABFE5FF89314F14061DF5999B2A1D7319994DB91

Function 005C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005C4A7E
IsMenu.USER32(?), ref: 005C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C4B20
GetWindowLongW.USER32(?,000000F0), ref: 005C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005C4C82
wsprintfW.USER32 ref: 005C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005C4D5A

Strings

%d/%02d/%02d, xrefs: 005C4CA8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6ed6e58b17e8e8ec11428f966c4435b39090a14da72a58ed3a87f9db45277241
Instruction ID: a9ac880ac67e6844b318a719f46d78f60dd427e7fc7246f6864418b10af1577c
Opcode Fuzzy Hash: 6ed6e58b17e8e8ec11428f966c4435b39090a14da72a58ed3a87f9db45277241
Instruction Fuzzy Hash: 6312DC71A00215AFEB248FA8CC59FAE7FB8BF85310F10452DF51AEA2A1DB749941CF50

Function 0054F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0054F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058F474
IsIconic.USER32(00000000), ref: 0058F47D
ShowWindow.USER32(00000000,00000009), ref: 0058F48A
SetForegroundWindow.USER32(00000000), ref: 0058F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058F4AA
GetCurrentThreadId.KERNEL32 ref: 0058F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0058F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0058F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0058F4DE
SetForegroundWindow.USER32(00000000), ref: 0058F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F4F6
keybd_event.USER32(00000012,00000000), ref: 0058F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F50B
keybd_event.USER32(00000012,00000000), ref: 0058F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F519
keybd_event.USER32(00000012,00000000), ref: 0058F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F528
keybd_event.USER32(00000012,00000000), ref: 0058F52D
SetForegroundWindow.USER32(00000000), ref: 0058F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0058F557

Strings

Shell_TrayWnd, xrefs: 0058F46F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6f81a9e0ba2dd59c2f7282ca7184fcd4b4bce3bae8f16c9a515576a5de11f1d7
Instruction ID: 4069f2d4d9ff276b6b98815d4fe50647537e69181846488e473352163979c7b4
Opcode Fuzzy Hash: 6f81a9e0ba2dd59c2f7282ca7184fcd4b4bce3bae8f16c9a515576a5de11f1d7
Instruction Fuzzy Hash: B7314F71A40218BFEB206BB55C4AFBF7E6CFB58B50F10046AFA05F61D1C6B55D01ABA0

Function 00591201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
Part of subcall function 005916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
Part of subcall function 005916C3: GetLastError.KERNEL32 ref: 0059174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00591286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005912A8
CloseHandle.KERNEL32(?), ref: 005912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005912D1
GetProcessWindowStation.USER32 ref: 005912EA
SetProcessWindowStation.USER32(00000000), ref: 005912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00591310

Part of subcall function 005910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005911FC), ref: 005910D4
Part of subcall function 005910BF: CloseHandle.KERNEL32(?,?,005911FC), ref: 005910E9

Strings

Z_, xrefs: 00591392
winsta0, xrefs: 005912CC
default, xrefs: 0059130B
, xrefs: 0059125A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z_
API String ID: 22674027-136207353
Opcode ID: d336d9e1f3ea3e515c0d2d20f96e3006801b620c8f81ab430c49ac6c0a953950
Instruction ID: 408816e79e51f306f1533f4fbbdb363510762321c625f73fa35442ab2ec02b09
Opcode Fuzzy Hash: d336d9e1f3ea3e515c0d2d20f96e3006801b620c8f81ab430c49ac6c0a953950
Instruction Fuzzy Hash: D481BE7190061AAFEF209FA8DC49FEE7FB9FF08704F144129FA18A61A0D7358944DB24

Function 00590B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
Part of subcall function 005910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
Part of subcall function 005910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
Part of subcall function 005910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00590BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00590C00
GetLengthSid.ADVAPI32(?), ref: 00590C17
GetAce.ADVAPI32(?,00000000,?), ref: 00590C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00590C6D
GetLengthSid.ADVAPI32(?), ref: 00590C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00590C8C
HeapAlloc.KERNEL32(00000000), ref: 00590C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00590CB4
CopySid.ADVAPI32(00000000), ref: 00590CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00590CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00590D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00590D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D45
HeapFree.KERNEL32(00000000), ref: 00590D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D55
HeapFree.KERNEL32(00000000), ref: 00590D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D65
HeapFree.KERNEL32(00000000), ref: 00590D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00590D78
HeapFree.KERNEL32(00000000), ref: 00590D7F

Part of subcall function 00591193: GetProcessHeap.KERNEL32(00000008,00590BB1,?,00000000,?,00590BB1,?), ref: 005911A1
Part of subcall function 00591193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00590BB1,?), ref: 005911A8
Part of subcall function 00591193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00590BB1,?), ref: 005911B7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0f655b356d8e9669596dffb175cbc1bb1a23eb5a485541941d80571d0f4f1d58
Instruction ID: b49e43295721a941fb30b262249f62717193ae0c84c0ed25279c66432d8c5bcd
Opcode Fuzzy Hash: 0f655b356d8e9669596dffb175cbc1bb1a23eb5a485541941d80571d0f4f1d58
Instruction Fuzzy Hash: 3571687290020AAFDF10DFA5DC48FAEBFBCFF14304F044915E919A6291D775AA09DBA0

Function 005AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005CCC08), ref: 005AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 005AEB37
GetClipboardData.USER32(0000000D), ref: 005AEB43
CloseClipboard.USER32 ref: 005AEB4F
GlobalLock.KERNEL32(00000000), ref: 005AEB87
CloseClipboard.USER32 ref: 005AEB91
GlobalUnlock.KERNEL32(00000000), ref: 005AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 005AEBC9
GetClipboardData.USER32(00000001), ref: 005AEBD1
GlobalLock.KERNEL32(00000000), ref: 005AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 005AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 005AEC38
GetClipboardData.USER32(0000000F), ref: 005AEC44
GlobalLock.KERNEL32(00000000), ref: 005AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005AECD2
GlobalUnlock.KERNEL32(00000000), ref: 005AECF3
CountClipboardFormats.USER32 ref: 005AED14
CloseClipboard.USER32 ref: 005AED59

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7c86c4764f8502bf67454fad3a0f210a104f6a17cf60b56cc7f8fea93dfa074f
Instruction ID: 58eeefeb174d7e732cb5895af92f1cab4875b4c31cccf77e29b9e5969bfbcf18
Opcode Fuzzy Hash: 7c86c4764f8502bf67454fad3a0f210a104f6a17cf60b56cc7f8fea93dfa074f
Instruction Fuzzy Hash: EF61E234204206AFD300EF24D88AF6EBFA4BF96714F14451DF49A972A1CB71DD4ADB62

Function 005A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A69BE
FindClose.KERNEL32(00000000), ref: 005A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005A6A75

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 005A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 005A6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 005A6B32
%4d, xrefs: 005A6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 005A6B6A
%02d, xrefs: 005A6C00, 005A6C0A, 005A6C5A, 005A6CAA, 005A6CFA, 005A6D4A
%03d, xrefs: 005A6DA2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d34e10b49b8abe8bacaf839136c4b735a72c7e2901a2b12ddecc0fcfba09fc52
Instruction ID: 5a1a69e8a97207b1e98fd5005119fd960b60389031f928392ff1b7cc7c10932b
Opcode Fuzzy Hash: d34e10b49b8abe8bacaf839136c4b735a72c7e2901a2b12ddecc0fcfba09fc52
Instruction Fuzzy Hash: 6AD150B2508305AFC714DBA4C889EAFBBECBF89704F04491DF585D6291EB74DA44CB62

Function 005A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005A9663
GetFileAttributesW.KERNEL32(?), ref: 005A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 005A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 005A96D3
FindClose.KERNEL32(00000000), ref: 005A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 005A974A
SetCurrentDirectoryW.KERNEL32(005F6B7C), ref: 005A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 005A9772
FindClose.KERNEL32(00000000), ref: 005A977F
FindClose.KERNEL32(00000000), ref: 005A978F

Strings

*.*, xrefs: 005A96F5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 938f54696e87e921be1f7196e5dde71ee7c3380a389411d88171db2e27891bb1
Instruction ID: 6eba99497a6b6a3cd595c5250e03f7d8091d7e6826313db34f7969cdce0407cd
Opcode Fuzzy Hash: 938f54696e87e921be1f7196e5dde71ee7c3380a389411d88171db2e27891bb1
Instruction Fuzzy Hash: 4131B23650062A6EDB14AFB4DC08EEE7FACFF4A321F104596E915E2090EB34DD448A60

Function 005A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 005A9819
FindClose.KERNEL32(00000000), ref: 005A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 005A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 005A9890
SetCurrentDirectoryW.KERNEL32(005F6B7C), ref: 005A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005A98B8
FindClose.KERNEL32(00000000), ref: 005A98C5
FindClose.KERNEL32(00000000), ref: 005A98D5

Part of subcall function 0059DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0059DB00

Strings

*.*, xrefs: 005A983B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cfc4db99d38f7261a890e802ca23c4c49820f19227d925e855a02816e24fab4c
Instruction ID: 082c8bdc676ff88449e7719a03d6324fde629fa49aa3ff2f8f1b01362311863c
Opcode Fuzzy Hash: cfc4db99d38f7261a890e802ca23c4c49820f19227d925e855a02816e24fab4c
Instruction Fuzzy Hash: AB31903550062A6EDB10EFA4EC58EEE7FACFF47320F144596E954A2190DB38DA49CB60

Function 005BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 005BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BC382
RegCloseKey.ADVAPI32(00000000), ref: 005BC38F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 807435f0448e36d5bf91d852a4fde29d7e88c9ffc8d326b93e6b0af4657be39d
Instruction ID: 7ab0335f52af1fa806c029c157796df33e0a2670487d883ce84bd531175be3ae
Opcode Fuzzy Hash: 807435f0448e36d5bf91d852a4fde29d7e88c9ffc8d326b93e6b0af4657be39d
Instruction Fuzzy Hash: 2A025B71604201AFD714CF28C895E6ABFE5BF89308F58889DF84ADB2A2D731EC45CB51

Function 005A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 005A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8395

Strings

*.*, xrefs: 005A839B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 807222bc8efaf8e33e6b86c35e425f85c15b7b8cec5a698c2a62d4ce3d712ae3
Instruction ID: 12fbb57c1ff0ff38461eda1e05416bf4d9632f50463dcdcf8905b26032414e97
Opcode Fuzzy Hash: 807222bc8efaf8e33e6b86c35e425f85c15b7b8cec5a698c2a62d4ce3d712ae3
Instruction Fuzzy Hash: 01616C765043069FCB10EF60C844AAEBBE8FF89310F044D1EF98997251EB35E949CB92

Function 0059D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

FindFirstFileW.KERNEL32(?,?), ref: 0059D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0059D1DD
MoveFileW.KERNEL32(?,?), ref: 0059D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0059D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0059D237

Part of subcall function 0059D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0059D21C,?,?), ref: 0059D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0059D253
FindClose.KERNEL32(00000000), ref: 0059D264

Strings

\*.*, xrefs: 0059D0CD, 0059D0D6, 0059D0EB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 99dd89055afd93cc9f7bc34a8f7b0541143e081112c0f4a04bd94765eb8f454d
Instruction ID: f7198b95078611fa5f52e4781b49776e1f7ee5dd9ca17fd4c55d6ba8bb1dba99
Opcode Fuzzy Hash: 99dd89055afd93cc9f7bc34a8f7b0541143e081112c0f4a04bd94765eb8f454d
Instruction Fuzzy Hash: 31617B7180510EAECF05EBE0CA969EDBFB5BF94300F204065E442771A1EB30AF09DB60

Function 005AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005AED91
EmptyClipboard.USER32 ref: 005AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 005AEDAC
CloseClipboard.USER32 ref: 005AEEA3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fbdccc248e202849f611f42d159af39c36b5248f9b9896cc8cf811d0966cefa0
Instruction ID: ab7076436686094cf56dbc721f6b2446176548b735bd40f12b2d00f0671b1997
Opcode Fuzzy Hash: fbdccc248e202849f611f42d159af39c36b5248f9b9896cc8cf811d0966cefa0
Instruction Fuzzy Hash: 43418B35604611AFE720CF19E88AF1ABFA5FF45319F14C09DE4598B662C735EC42CB90

Function 0059E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
Part of subcall function 005916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
Part of subcall function 005916C3: GetLastError.KERNEL32 ref: 0059174A

ExitWindowsEx.USER32(?,00000000), ref: 0059E932

Strings

@, xrefs: 0059E925
, xrefs: 0059E95C
, xrefs: 0059E920
SeShutdownPrivilege, xrefs: 0059E902

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e597b68cb68c6700977c1036a9dd26a7749a4d2e8f724af561e26b366127647b
Instruction ID: fb0fae795708b757432c5c3390c145b2206bfe1ab3b23920ee3bc5c693711ba1
Opcode Fuzzy Hash: e597b68cb68c6700977c1036a9dd26a7749a4d2e8f724af561e26b366127647b
Instruction Fuzzy Hash: AC01F972A10612AFEF54A6B49C8BFBF7E6CB714B50F150821FD03E21D1D9A15C449194

Function 005B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005B1276
WSAGetLastError.WSOCK32 ref: 005B1283
bind.WSOCK32(00000000,?,00000010), ref: 005B12BA
WSAGetLastError.WSOCK32 ref: 005B12C5
closesocket.WSOCK32(00000000), ref: 005B12F4
listen.WSOCK32(00000000,00000005), ref: 005B1303
WSAGetLastError.WSOCK32 ref: 005B130D
closesocket.WSOCK32(00000000), ref: 005B133C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d15dab7d67f5105a949f171bc5ace76acd1a35242c60d412d5008a8a3025cf2b
Instruction ID: 7d99a4ccb53984085fa112b35d659da14a7bca4cf3b828a041538492066c2825
Opcode Fuzzy Hash: d15dab7d67f5105a949f171bc5ace76acd1a35242c60d412d5008a8a3025cf2b
Instruction Fuzzy Hash: 4E419E35A005019FD710DF24C498B6ABFE6BF86318F588098E8569F292C771FD85CBE0

Function 0056B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056B9D4
_free.LIBCMT ref: 0056B9F8
_free.LIBCMT ref: 0056BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005D3700), ref: 0056BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0060121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0056BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00601270,000000FF,?,0000003F,00000000,?), ref: 0056BC36
_free.LIBCMT ref: 0056BD4B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b07161c0845eb7cf544a7fcb85f8739947fd062f29dae2f6a5d0866c5a59ddf6
Instruction ID: 0dd21c7ee0a9d7221f3e1984fd42e6ea7055f4abde3476ebbf824e6033fae34c
Opcode Fuzzy Hash: b07161c0845eb7cf544a7fcb85f8739947fd062f29dae2f6a5d0866c5a59ddf6
Instruction Fuzzy Hash: B8C10771A04206AFEB249F68CC55BAE7FB9FF81350F14459AE494DB291EB309EC1CB50

Function 0059D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

FindFirstFileW.KERNEL32(?,?), ref: 0059D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0059D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0059D481
FindClose.KERNEL32(00000000), ref: 0059D498
FindClose.KERNEL32(00000000), ref: 0059D4A1

Strings

\*.*, xrefs: 0059D3F2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 63587742e0e6c2285d3726ab76ee31433b965fd3ff511d11018e2a61783a4b78
Instruction ID: 64ac2a63995b77d5f9b98d4143dfdcb153b05998b4f780ff3e5a6ec8baffad04
Opcode Fuzzy Hash: 63587742e0e6c2285d3726ab76ee31433b965fd3ff511d11018e2a61783a4b78
Instruction Fuzzy Hash: EB3170710083469FC701EF64D8559AFBFA8BED1310F444E1DF4D9531A1EB60AA09DB63

Function 0056E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0056E645

Strings

1#IND, xrefs: 0056F83D
1#QNAN, xrefs: 0056F84B
1#SNAN, xrefs: 0056F844
1#INF, xrefs: 0056F852

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ded6f5fba7589ff9ea726830356ad94507c41a6b260e9e7ebdd514fb0cf06591
Instruction ID: 58cd3b018e5fdd1d670e6a68685f7c3796287b74916642846f258812ed0f771c
Opcode Fuzzy Hash: ded6f5fba7589ff9ea726830356ad94507c41a6b260e9e7ebdd514fb0cf06591
Instruction Fuzzy Hash: 9FC26A71E096288FDB25CE28DD457EABBB5FB84305F1445EAD80EE7241E774AE818F40

Function 005A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A64DC
CoInitialize.OLE32(00000000), ref: 005A6639
CoCreateInstance.OLE32(005CFCF8,00000000,00000001,005CFB68,?), ref: 005A6650
CoUninitialize.OLE32 ref: 005A68D4

Strings

.lnk, xrefs: 005A64BA, 005A6524, 005A65E0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9a4cc76cf2653a74a9f546eaa499ade2b9a5594602b0c1a20e5f84062e874885
Instruction ID: 6ecf306a04d3b43991b13eeb85b99c3d67382ea46d91a05887036b82c2c4d3c9
Opcode Fuzzy Hash: 9a4cc76cf2653a74a9f546eaa499ade2b9a5594602b0c1a20e5f84062e874885
Instruction Fuzzy Hash: BAD14971508206AFC314EF24C88596BBBE8FFD9704F44496DF5958B291EB70ED09CBA2

Function 005B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005B22E8

Part of subcall function 005AE4EC: GetWindowRect.USER32(?,?), ref: 005AE504

GetDesktopWindow.USER32 ref: 005B2312
GetWindowRect.USER32(00000000), ref: 005B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005B2355
GetCursorPos.USER32(?), ref: 005B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005B23DF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b0c66cc03f67e3b308ffa3c2b29f6adec4ad3beaf1a2b762787e7ac5f4667cb1
Instruction ID: 729e994ca8d462b7706a28b4aa8addc52430e15b01fb9d9bb67cd1718fd3c044
Opcode Fuzzy Hash: b0c66cc03f67e3b308ffa3c2b29f6adec4ad3beaf1a2b762787e7ac5f4667cb1
Instruction Fuzzy Hash: 1831B072505715AFDB20DF54C849F9BBBE9FF88314F000919F98997191DB34E909CBA2

Function 005A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005A9C8B

Part of subcall function 005A3874: GetInputState.USER32 ref: 005A38CB
Part of subcall function 005A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005A9C75

Strings

*.*, xrefs: 005A9B5D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 65fa7ca174d15d75aef5de46a653346d9a681c68902034f0d0702312fd7bca9d
Instruction ID: 29552ff74baa5025a4051151589572475b08144957134ef8b8b67902fb238f90
Opcode Fuzzy Hash: 65fa7ca174d15d75aef5de46a653346d9a681c68902034f0d0702312fd7bca9d
Instruction Fuzzy Hash: 3A41717194461A9FCF14DFA4CC99AEEBFB8FF46310F248556E905A2191EB309E44CF60

Function 0054997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00549A4E
GetSysColor.USER32(0000000F), ref: 00549B23
SetBkColor.GDI32(?,00000000), ref: 00549B36

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: da9e473d2dbefbc961a4606edde17c4547749cade8e1d4f41ac7d695f5957f07
Instruction ID: ba5687f402b1adf00ae9822e47bb3c0ba3d97bf1c06d6c2c1a4412e08f914c22
Opcode Fuzzy Hash: da9e473d2dbefbc961a4606edde17c4547749cade8e1d4f41ac7d695f5957f07
Instruction Fuzzy Hash: 34A11C70108458BEE728BA3E8C8EEFB3E9EFBC6358B244609F502D6591CA25DD01D371

Function 005B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
Part of subcall function 005B304E: _wcslen.LIBCMT ref: 005B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005B185D
WSAGetLastError.WSOCK32 ref: 005B1884
bind.WSOCK32(00000000,?,00000010), ref: 005B18DB
WSAGetLastError.WSOCK32 ref: 005B18E6
closesocket.WSOCK32(00000000), ref: 005B1915

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f6f7607c94b333d29bfde4d19243ac29e8e034e9c254168fe636ac1db56c7ff8
Instruction ID: d904f055904bf23b7dae8a7199eb0ab08aeb15e91b74f0c4dd0c0591c9f1877d
Opcode Fuzzy Hash: f6f7607c94b333d29bfde4d19243ac29e8e034e9c254168fe636ac1db56c7ff8
Instruction Fuzzy Hash: 2851C675A00600AFDB10AF24C89AF6A7FE5BB84718F54845CFA066F3D3D771AD418BA1

Function 005C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005C1CC0
IsWindowEnabled.USER32 ref: 005C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005C1CDB
IsIconic.USER32 ref: 005C1CE9
IsZoomed.USER32 ref: 005C1CF7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b8829b3b63e8567a2efc5d86f8caee93c124c9ab070c826dfaf476f24a353bf4
Instruction ID: c3da2e9af779f553c2d237041e9bec11e1172f4d4772a7eae67edc49253f4e81
Opcode Fuzzy Hash: b8829b3b63e8567a2efc5d86f8caee93c124c9ab070c826dfaf476f24a353bf4
Instruction Fuzzy Hash: A5219131740A115FD7208F6AC884F6A7FA5FF96315F19806CE84A8B352CB71DC42CB98

Function 00538060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005383E8
VUUU, xrefs: 00575DF0
ERCP, xrefs: 0053813C
VUUU, xrefs: 0053843C
VUUU, xrefs: 005383FA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0d4b8f4fe90b7b295217d5955296f2dcac17a20b36c52015c25ef733bf2f669a
Instruction ID: 6178ecbd4093db09f1ab751afec0169d66788a03586c5a3dfade5aca58c224c0
Opcode Fuzzy Hash: 0d4b8f4fe90b7b295217d5955296f2dcac17a20b36c52015c25ef733bf2f669a
Instruction Fuzzy Hash: A8A29175E0061ACBDF28CF58D8457BEBBB1BF54310F2485A9E819A7281EB709D81DF90

Function 00598298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005982AA

Strings

tb_, xrefs: 005984F4
(, xrefs: 005982F0
|, xrefs: 005982DA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb_$|
API String ID: 1659193697-2948932382
Opcode ID: f8120d69a9bb6a7db4f641e963174338ae713bacb6735402a0aeabcb352c5cda
Instruction ID: a84be03eb5a41674355c0a4d7ad721082d8db5bee6c8e3531ed057a794044d00
Opcode Fuzzy Hash: f8120d69a9bb6a7db4f641e963174338ae713bacb6735402a0aeabcb352c5cda
Instruction Fuzzy Hash: 9B322575A007059FCB28CF59C481A6ABBF0FF48710B15C96EE59ADB3A1EB70E941CB50

Function 005BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 005BA6BA

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Process32NextW.KERNEL32(00000000,?), ref: 005BA79C
CloseHandle.KERNEL32(00000000), ref: 005BA7AB

Part of subcall function 0054CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00573303,?), ref: 0054CE8A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c4ba70aa0c44bdf678d5eb0a1b220be751f54b25c6fc06d32235e995ae4ffab5
Instruction ID: 1dec77b49abc72662b37d27f214360caa205787d2e99d3cf97af0b1f385375db
Opcode Fuzzy Hash: c4ba70aa0c44bdf678d5eb0a1b220be751f54b25c6fc06d32235e995ae4ffab5
Instruction Fuzzy Hash: D3511BB5508301AFD710EF25C88AA6BBBE8FFC9754F40891DF58997251EB70E904CB92

Function 0059AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0059AAAC
SetKeyboardState.USER32(00000080), ref: 0059AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0059AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0059AB88

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b16351bc598b9e14603edb51dae708e4f629a198d7fb91107ba3c7cb3dc72c66
Instruction ID: 35943875445bb3a9e5cbc94f3e4540dfe2ae31590ba7b298a46f69f21c8142bd
Opcode Fuzzy Hash: b16351bc598b9e14603edb51dae708e4f629a198d7fb91107ba3c7cb3dc72c66
Instruction Fuzzy Hash: FD310330A40648AFFF358A698C09BFA7FABFB94320F04421AE585961D0D7749985D7F2

Function 005ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 005ACE89
GetLastError.KERNEL32(?,00000000), ref: 005ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 005ACEFE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 65deb118840dd7fb2164835a6b673ca0894cf62f92b3e0db513293adf3037039
Instruction ID: 8140ef4360215328d8641d7105dd2c94bf59280d1ffa4cb598815f56cbbebaa5
Opcode Fuzzy Hash: 65deb118840dd7fb2164835a6b673ca0894cf62f92b3e0db513293adf3037039
Instruction Fuzzy Hash: 5E21AC71500705AFEB218F65C948BAA7FFCFB52354F10482EE64692151E774EA08DBA0

Function 005A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 005A5D17
FindClose.KERNEL32(?), ref: 005A5D5F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c03c520e1019dfe69caf787c5cb7bfb74ce418e2a9e170e5d1addc16f3e7db78
Instruction ID: 4dcd40c29c9e837b8b63e1d1c3a23e977fc0fc219f9a3c05ca4c895e738a385d
Opcode Fuzzy Hash: c03c520e1019dfe69caf787c5cb7bfb74ce418e2a9e170e5d1addc16f3e7db78
Instruction Fuzzy Hash: 6C519D75604A029FC714CF28C498E9ABBE4FF4A324F14855DE99A8B3A1DB30ED05CF91

Function 00562622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0056271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00562724
UnhandledExceptionFilter.KERNEL32(?), ref: 00562731

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 60e151217e543206fc223b4d41381fc90c304ef4d82d0f281ffd68f441e77086
Instruction ID: 90f38b31ffc5499197474e43d0993141ed2f6c5164e48ed193c22cc9a427cba7
Opcode Fuzzy Hash: 60e151217e543206fc223b4d41381fc90c304ef4d82d0f281ffd68f441e77086
Instruction Fuzzy Hash: EB31C47490121D9BCB21DF64DC88B9CBBB8BF58311F5042EAE80CA7260E7309F858F44

Function 005A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005A5238
SetErrorMode.KERNEL32(00000000), ref: 005A52A1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2ffb85dd6213b6e6bb938c12fa86955ee63fdc8ad760a1e76acff554ddf0b0cc
Instruction ID: b07415c9b68b942f5a315c57cf1eb45941f77cdb2eb0f5f17ed709bfd228488d
Opcode Fuzzy Hash: 2ffb85dd6213b6e6bb938c12fa86955ee63fdc8ad760a1e76acff554ddf0b0cc
Instruction Fuzzy Hash: B6311A75A00619DFDB00DF55D888EADBFB5FF49314F088099E809AB362DB31E859CB90

Function 005916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0054FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00550668
Part of subcall function 0054FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00550685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
GetLastError.KERNEL32 ref: 0059174A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 34cdcc4f3d958e205c55c4a8a3bc24941f8179446b9b592a5dbe018d951f948e
Instruction ID: bded61cca824259fe81efc52cf3375da4c6a69a491bd9da84e3d43bc2610301c
Opcode Fuzzy Hash: 34cdcc4f3d958e205c55c4a8a3bc24941f8179446b9b592a5dbe018d951f948e
Instruction Fuzzy Hash: 5E11C4B1800706AFD7189F54DC8AD6ABBB9FF44714B24852EE05657241EB70BC418B24

Function 0059D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0059D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0059D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0059D650

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9fcb6e5836256554a77874ceb40322c83583fd35d663bbb03a7f013cc97e20b6
Instruction ID: 1a6ee7a2c21a1ea882ffb5649d1cb559330ba4f6bd851f2394d82cf21488e7e6
Opcode Fuzzy Hash: 9fcb6e5836256554a77874ceb40322c83583fd35d663bbb03a7f013cc97e20b6
Instruction Fuzzy Hash: 3B115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108155F908E7290D6704A059BA1

Function 00591663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0059168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005916A1
FreeSid.ADVAPI32(?), ref: 005916B1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5d4cd2a123877c90376dedb3c37724521dcf630aba6210c88fc61af88842bbe9
Instruction ID: ce61423ff6eac54c591612bafdd2e1046ace923dabbcbea6a968ae31972d1438
Opcode Fuzzy Hash: 5d4cd2a123877c90376dedb3c37724521dcf630aba6210c88fc61af88842bbe9
Instruction Fuzzy Hash: C4F0F471950309FFDF00DFE4DD89EAEBBBCFB08604F504565E901E2181E774AA489A54

Function 00554CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000,?,005628E9), ref: 00554D09
TerminateProcess.KERNEL32(00000000,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000,?,005628E9), ref: 00554D10
ExitProcess.KERNEL32 ref: 00554D22

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a18287f16340ec5087e99b64f20129c96fed477c18cf54791637dd82cb0b2577
Instruction ID: ae9e3389b5ebf07b9c7a53a483c03c45ec7d81b34f2193eaf210fb23f01e616b
Opcode Fuzzy Hash: a18287f16340ec5087e99b64f20129c96fed477c18cf54791637dd82cb0b2577
Instruction Fuzzy Hash: 9EE0B631400548AFCF11AF54EE1DE583F79FB91B86B144419FC098B122CB36DD8ADE90

Function 0056C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0056C36C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6916d2bb1669c3175067e47278fd2142a090c0d93fdb2f668a3921605d055281
Instruction ID: e1da56c959855819b1f2734516d7ec567a79b6c98346a4725386483fd563f106
Opcode Fuzzy Hash: 6916d2bb1669c3175067e47278fd2142a090c0d93fdb2f668a3921605d055281
Instruction Fuzzy Hash: 4E412676600219ABCB209FB9CC4CDBB7F78FB84315F104669F945C7280E6709D418B50

Function 0058D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0058D28C

Strings

X64, xrefs: 0058D2A8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: dc205bcd19553f172fc066163105b234840b41359d71392497b1f491ed9d2c19
Instruction ID: 5ec5e61f3c1f1d2a881c39f0f98553a058c7603a517b806648e5705bd20d43c2
Opcode Fuzzy Hash: dc205bcd19553f172fc066163105b234840b41359d71392497b1f491ed9d2c19
Instruction Fuzzy Hash: 62D0C9B480111DEECB90DB90EC8CDDDBBBCBB14305F100551F50AB2040D73495489F20

Function 0055CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93d4a4be2c81a4d74f69ba06201c4ec82d3feed8c5913770442c474069e51d19
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7021A71E002199FDF14CFA9D8906ADBFF5FF88315F25816AD819EB280D731AE458B84

Function 0053CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00580C40
p#`, xrefs: 0053CF7F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#`
API String ID: 0-476173941
Opcode ID: e8950a44ca9c118b5a1ac4ea2599a402f36b2bbc54a39a6941e796eb5527d9b9
Instruction ID: 78decce972184a916ee2f037ca4b16ff4b17993a615b0056982179579c7dd598
Opcode Fuzzy Hash: e8950a44ca9c118b5a1ac4ea2599a402f36b2bbc54a39a6941e796eb5527d9b9
Instruction Fuzzy Hash: 4732BD74900219DFDF14EF94C889AEEBFB9BF45304F109459E806BB292D731AE49CB60

Function 005A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A6918
FindClose.KERNEL32(00000000), ref: 005A6961

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1a1d8ed57308b26b993e9cbff591f631be5d7e2193a4d0066e8f5145e4d914e3
Instruction ID: ff90bb2646bbe5529864fa78d5d12a183237a1f9cb56fec4bf42421a31df87c6
Opcode Fuzzy Hash: 1a1d8ed57308b26b993e9cbff591f631be5d7e2193a4d0066e8f5145e4d914e3
Instruction Fuzzy Hash: 831190756046019FC710DF29D488A1ABFE5FF89328F18C699E4698F7A2CB30EC05CB91

Function 005A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005B4891,?,?,00000035,?), ref: 005A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005B4891,?,?,00000035,?), ref: 005A37F4

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 44e0bc1c0d6ed213eedd945c8224c021209de9aa55be2b0b9b4248d1c100f820
Instruction ID: 25d936b7a4c310ea2e32da44971c8e5600fbd135700aef961e4bb991f16c0002
Opcode Fuzzy Hash: 44e0bc1c0d6ed213eedd945c8224c021209de9aa55be2b0b9b4248d1c100f820
Instruction Fuzzy Hash: EDF0E5B16043292AE720576A9C4DFEB3FAEFFC5B65F000175F509D2281D9A09E08C6B0

Function 0059B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0059B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0059B270

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7790f1d3c2214aca535f79cefaee8fca809ea7852b38ca16249992dc2aa75817
Instruction ID: a4cad9c650d922e705e2c6b7f03205714ca52ae6d0db30ec9babc06d452e2bbe
Opcode Fuzzy Hash: 7790f1d3c2214aca535f79cefaee8fca809ea7852b38ca16249992dc2aa75817
Instruction Fuzzy Hash: 75F01D7580424DAFEF059FA0D805BAE7FB4FF04305F04841AF955A5191C37996159F94

Function 005910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005911FC), ref: 005910D4
CloseHandle.KERNEL32(?,?,005911FC), ref: 005910E9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f4d4c08c04ed3621e8f09c0fc0b0f032412f3d13ebbc70116bd8ce0940705439
Instruction ID: 9c806700ccab2ee070c3ff7653242f32ea32472c9a08096378e8c0514811d81c
Opcode Fuzzy Hash: f4d4c08c04ed3621e8f09c0fc0b0f032412f3d13ebbc70116bd8ce0940705439
Instruction Fuzzy Hash: D2E04F32004A11AFE7252B15FC09EB77FA9FB04314B14882DF4A6804B1DB626CA0EB14

Function 0056676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00566766,?,?,00000008,?,?,0056FEFE,00000000), ref: 00566998

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 20a65de963de62a08cd71c49484f58b36d8776eb7e082bd505d150b78aedf0ef
Instruction ID: e63160baddd065d779955c4dcb073c539c64682ea262053c0210ecbd46a0733d
Opcode Fuzzy Hash: 20a65de963de62a08cd71c49484f58b36d8776eb7e082bd505d150b78aedf0ef
Instruction Fuzzy Hash: 81B12A35610609DFD719CF28C48AB657FE0FF45364F298658E89ACF2A2C735E991CB40

Function 0054B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0058851F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 90443bf64c661e66fea4c75ef0302f4461c12e87f40e00fdfa8315e5b88fabfe
Instruction ID: 77b0cdc8163ea53c587b51f6ffd77613e2323187242587f6aacbba9227cbc6ec
Opcode Fuzzy Hash: 90443bf64c661e66fea4c75ef0302f4461c12e87f40e00fdfa8315e5b88fabfe
Instruction Fuzzy Hash: C7125E759002299FDF24DF58C880AFEBBB5FF48714F54859AE849EB251DB309E81CB90

Function 005AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005AEABD

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5d0463f3012bb61cae696cb3daf9580fe52b76b8b214db2560f36535104ba76e
Instruction ID: 32b6b0981d0fd9757268db949d22c30d86934d29dac2ad6c6258cef8bc374b4e
Opcode Fuzzy Hash: 5d0463f3012bb61cae696cb3daf9580fe52b76b8b214db2560f36535104ba76e
Instruction Fuzzy Hash: 09E01A362002059FD710EF59D809E9ABFE9BF99760F00841AFD49DB351DA70AC408B90

Function 005509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005503EE), ref: 005509DA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 73eab3242910cd9331c2001dd2fa0f4a8793f02224dab76abe74ab31b1e99bf2
Instruction ID: a7b725e22165d86fc76c17b365799dd26105aac28ccb5d5d170bee8933d89a29
Opcode Fuzzy Hash: 73eab3242910cd9331c2001dd2fa0f4a8793f02224dab76abe74ab31b1e99bf2
Instruction Fuzzy Hash:

Function 0055781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0055798B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 686535a04cdb9aac4bb46bac1d27b7d98d43c89b06121340ee68798be5655630
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3F516B7160C64E5BDB384568A87D7BE2FA5BB5E303F18090BDC82D7282C611DE0DD365

Function 005A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&`, xrefs: 005A2053

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: 0&`
API String ID: 0-1430707966
Opcode ID: 516ec4b8b32618cd5575ed5e7c9fded708af8570f587e4e6a6ede3544b7fa7bd
Instruction ID: e1c2ab94a17faa6e5c8a71b817ddba7c49c4e0aac11bd1a5273a35c033a6a345
Opcode Fuzzy Hash: 516ec4b8b32618cd5575ed5e7c9fded708af8570f587e4e6a6ede3544b7fa7bd
Instruction Fuzzy Hash: 2021A8326605118BD728CE79C82767F77E5BB54310F15862EE4A7C37D1DE76A904C740

Function 00566DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028a837af8875613bf317439a196f2bb373368695a3f6d46b2976750d0610af4
Instruction ID: e4e5947a90d91c54c73c8954c7a5ee2f31631525153d4658fc357c5c243a602c
Opcode Fuzzy Hash: 028a837af8875613bf317439a196f2bb373368695a3f6d46b2976750d0610af4
Instruction Fuzzy Hash: DA321531D2AF454ED7239634C8223356B89AFBB3C9F15D737E81AB69A5EF29C4835100

Function 0054CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2bb758735bdcb668109b61f7b41f5a9006120040d8622d57f06de453c21c3f
Instruction ID: bf80821b35de457aaab942f6f1125a15817f369a510ce0a927d5599928632802
Opcode Fuzzy Hash: 2a2bb758735bdcb668109b61f7b41f5a9006120040d8622d57f06de453c21c3f
Instruction Fuzzy Hash: 77324731A001458BDF28EF29C4D46BD7FB1FB85304F28856ADDAAEB691D234DD81DB60

Function 00537920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8682ce397ba783b78050961f47d6d260fb2d6322b6ad3e7881c73ba4dda15093
Instruction ID: 76e31dad329a97c0a2eb4f630bfb2cc7e06112e14c814ec88aefbc92a3c35072
Opcode Fuzzy Hash: 8682ce397ba783b78050961f47d6d260fb2d6322b6ad3e7881c73ba4dda15093
Instruction Fuzzy Hash: BE22B2B0E0460ADFDF14CF64D885AAEBBF6FF48300F108529E816A7291EB75AD15DB50

Function 005391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601f1d9e999bcfe60c230a97b2f659638e8614370b8dd67cc375c8129b6c2b3a
Instruction ID: 75f10e99ca41e3fc96f1dc7b014dc424fa3d7ae09d64d6ecccc778df037d64a5
Opcode Fuzzy Hash: 601f1d9e999bcfe60c230a97b2f659638e8614370b8dd67cc375c8129b6c2b3a
Instruction Fuzzy Hash: 1602C9B0E00206EBDB05DF54D846AAEBFB5FF48304F108569E81ADB291E7719D14DB91

Function 00551C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a2f4d47ab10edaa85b906ada904e61b5defdf1ce08c720beb8212878a44d3a51
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 129187721084A34ADB29463A853567EFFF17A923A371A079FDCF2CA1C1FE10995CD624

Function 005519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a5cf74c1657cde572d44d0266045cec4f0b207fb289670523ce7275dfed30737
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: CC9173722098A34ADB2E427A857413DFFF16A923B371A079FD8F2CA1C1FE14855CD624

Function 00557A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c007464a36057c5b5226844177c831c2d266a0169bbded44dffafe94e22131a
Instruction ID: 7d88fa4d857f0d83e212c5c5263627acc453106dd17c6fd769b713f139bb83c3
Opcode Fuzzy Hash: 9c007464a36057c5b5226844177c831c2d266a0169bbded44dffafe94e22131a
Instruction Fuzzy Hash: 3961487160870E56DA345928B8B9BBE2F94FF8D723F14091BEC42DB281E911AE4E8355

Function 00557CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ed58495e3eca33165464dde831607f9cca34afe2a5f13ad38dcec532bf2aa1
Instruction ID: ba6ef7efe75d00e9a6e93d5277e8c48a35e158455d342d16a0e8cb4894fa50bd
Opcode Fuzzy Hash: 78ed58495e3eca33165464dde831607f9cca34afe2a5f13ad38dcec532bf2aa1
Instruction Fuzzy Hash: 28616D7120870E56DE344938787ABBE2FA8FF4D703F50095BED43DB281E612AD4E8255

Function 00551706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 07451569a233cd92f45cbac9c97e2e1e720269040267ad0d224564957b5c6a48
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F78176725084A30ADB2D427D853467EFFE1BA923A371A079FD8F2CA1C1EE14995CD624

Function 005B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005B2B30
DeleteObject.GDI32(00000000), ref: 005B2B43
DestroyWindow.USER32 ref: 005B2B52
GetDesktopWindow.USER32 ref: 005B2B6D
GetWindowRect.USER32(00000000), ref: 005B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2CF8
GetClientRect.USER32(00000000,?), ref: 005B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D80
GlobalLock.KERNEL32(00000000), ref: 005B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D98
GlobalUnlock.KERNEL32(00000000), ref: 005B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2DA8
GlobalFree.KERNEL32(00000000), ref: 005B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005CFC38,00000000), ref: 005B2DDB
GlobalFree.KERNEL32(00000000), ref: 005B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B303F

Strings

DISPLAY, xrefs: 005B2EA2
static, xrefs: 005B2D3A, 005B2E91
, xrefs: 005B2FC5
AutoIt v3, xrefs: 005B2CF2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bb0f12c473b802c02dc598b69b50571c70687a352bbd2a8bf29322c484c4709e
Instruction ID: 2b3a62c444acb9c3f2437c71537170054bc3dece16cbac5c0541b04e6049ae1b
Opcode Fuzzy Hash: bb0f12c473b802c02dc598b69b50571c70687a352bbd2a8bf29322c484c4709e
Instruction Fuzzy Hash: 55026975900209AFDB14DFA4CC89EAE7FB9FF49310F048558F919AB2A1DB74AD05CB60

Function 005C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005C712F
GetSysColorBrush.USER32(0000000F), ref: 005C7160
GetSysColor.USER32(0000000F), ref: 005C716C
SetBkColor.GDI32(?,000000FF), ref: 005C7186
SelectObject.GDI32(?,?), ref: 005C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005C71C0
GetSysColor.USER32(00000010), ref: 005C71C8
CreateSolidBrush.GDI32(00000000), ref: 005C71CF
FrameRect.USER32(?,?,00000000), ref: 005C71DE
DeleteObject.GDI32(00000000), ref: 005C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005C7230
FillRect.USER32(?,?,?), ref: 005C7262
GetWindowLongW.USER32(?,000000F0), ref: 005C7284

Part of subcall function 005C73E8: GetSysColor.USER32(00000012), ref: 005C7421
Part of subcall function 005C73E8: SetTextColor.GDI32(?,?), ref: 005C7425
Part of subcall function 005C73E8: GetSysColorBrush.USER32(0000000F), ref: 005C743B
Part of subcall function 005C73E8: GetSysColor.USER32(0000000F), ref: 005C7446
Part of subcall function 005C73E8: GetSysColor.USER32(00000011), ref: 005C7463
Part of subcall function 005C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005C7471
Part of subcall function 005C73E8: SelectObject.GDI32(?,00000000), ref: 005C7482
Part of subcall function 005C73E8: SetBkColor.GDI32(?,00000000), ref: 005C748B
Part of subcall function 005C73E8: SelectObject.GDI32(?,?), ref: 005C7498
Part of subcall function 005C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005C74B7
Part of subcall function 005C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005C74CE
Part of subcall function 005C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005C74DB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 86cebf4a440ca4593219d4016fa96b8febba9b4e5b53257d4f30788a700246b3
Instruction ID: 0869e2289ac11bfc93662e5b887fd9af814a525ff9a7a95e8a8c60210b24049a
Opcode Fuzzy Hash: 86cebf4a440ca4593219d4016fa96b8febba9b4e5b53257d4f30788a700246b3
Instruction Fuzzy Hash: 3EA1BE72008705AFDB009FA4DC48E6BBFA9FB98320F140A1DF966961E1D730E948DF51

Function 00548D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00548E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00586AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00586AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00586F43

Part of subcall function 00548F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00548BE8,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 00548FC5

SendMessageW.USER32(?,00001053), ref: 00586F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00586F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00586FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00586FB7

Strings

0, xrefs: 00586DCF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e545305b308b7c99b6ac1a130778d4fc60c8b8ce3b945c1f4998e61d517939da
Instruction ID: 5a8cea408f104f90d48280ac9304874502cc0283ce6940ca25fa84f7048574ac
Opcode Fuzzy Hash: e545305b308b7c99b6ac1a130778d4fc60c8b8ce3b945c1f4998e61d517939da
Instruction Fuzzy Hash: 6D129D30601601DFDB25EF14C858BBABFE9FB45304F144469F989AB661CB31EC92DB91

Function 005B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005B2900
GetClientRect.USER32(00000000,?), ref: 005B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005B2964
GetStockObject.GDI32(00000011), ref: 005B2974
SelectObject.GDI32(00000000,00000000), ref: 005B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B2991
DeleteDC.GDI32(00000000), ref: 005B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 005B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005B2A77
GetStockObject.GDI32(00000011), ref: 005B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005B2A97

Strings

DISPLAY, xrefs: 005B295A
static, xrefs: 005B294F, 005B2A71
msctls_progress32, xrefs: 005B2A13
AutoIt v3, xrefs: 005B28F8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 58a8cc582b117f6b77d541d9151f1fd268ef2a4a584318e42aae3ea56d8b0bd2
Instruction ID: d3dae37a9450de2fd13c8867e9bea6133f29aa37fd82987cb24f52f3572f8233
Opcode Fuzzy Hash: 58a8cc582b117f6b77d541d9151f1fd268ef2a4a584318e42aae3ea56d8b0bd2
Instruction Fuzzy Hash: 03B14DB1A40619AFEB14DFA8CC49FAF7BA9FB49710F004115FA15EB290D774AD40CBA4

Function 005A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A4AED
GetDriveTypeW.KERNEL32(?,005CCB68,?,\\.\,005CCC08), ref: 005A4BCA
SetErrorMode.KERNEL32(00000000,005CCB68,?,\\.\,005CCC08), ref: 005A4D36

Strings

Network, xrefs: 005A4C02
SCSI, xrefs: 005A4C8A
RAMDisk, xrefs: 005A4BF4
PhysicalDrive, xrefs: 005A4B76
SSD, xrefs: 005A4C4A
SATA, xrefs: 005A4CD0
SSA, xrefs: 005A4CA6
FileBackedVirtual, xrefs: 005A4CEC
Fibre, xrefs: 005A4CAD
USB, xrefs: 005A4CB4
ATA, xrefs: 005A4C98
1394, xrefs: 005A4C9F
ATAPI, xrefs: 005A4C91
SAS, xrefs: 005A4CC9
Removable, xrefs: 005A4C10, 005A4C15
iSCSI, xrefs: 005A4CC2
Virtual, xrefs: 005A4CE5
MMC, xrefs: 005A4CDE
\\.\, xrefs: 005A4B3F
CDROM, xrefs: 005A4BFB
RAID, xrefs: 005A4CBB
Unknown, xrefs: 005A4BED, 005A4C83
Fixed, xrefs: 005A4C09

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 96c0c47a5e0136ed7c8290116c162847e34f0c79ba48711ca1b33c70ca9a60db
Instruction ID: caf5ad04ae03914d90e8a9be458395f028de5147fd4af1be2c064f69f7f3b85b
Opcode Fuzzy Hash: 96c0c47a5e0136ed7c8290116c162847e34f0c79ba48711ca1b33c70ca9a60db
Instruction Fuzzy Hash: 1B61D13060520A9BCB04DFA4CA96D7C7FB0BBC6350B248815F90AEB651DBB9ED41DF51

Function 005C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005C7421
SetTextColor.GDI32(?,?), ref: 005C7425
GetSysColorBrush.USER32(0000000F), ref: 005C743B
GetSysColor.USER32(0000000F), ref: 005C7446
CreateSolidBrush.GDI32(?), ref: 005C744B
GetSysColor.USER32(00000011), ref: 005C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005C7471
SelectObject.GDI32(?,00000000), ref: 005C7482
SetBkColor.GDI32(?,00000000), ref: 005C748B
SelectObject.GDI32(?,?), ref: 005C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005C7572
DrawFocusRect.USER32(?,?), ref: 005C757D
GetSysColor.USER32(00000011), ref: 005C758E
SetTextColor.GDI32(?,00000000), ref: 005C7596
DrawTextW.USER32(?,005C70F5,000000FF,?,00000000), ref: 005C75A8
SelectObject.GDI32(?,?), ref: 005C75BF
DeleteObject.GDI32(?), ref: 005C75CA
SelectObject.GDI32(?,?), ref: 005C75D0
DeleteObject.GDI32(?), ref: 005C75D5
SetTextColor.GDI32(?,?), ref: 005C75DB
SetBkColor.GDI32(?,?), ref: 005C75E5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b0a87f5d4c3d2b3a208bd37e52d6707592c8047b5ad5656bba18ab0af5c1f144
Instruction ID: c7181ddc5042074ffcb4a127a5e2a0b8dd33567afedcdb3260a12d6b18dfc489
Opcode Fuzzy Hash: b0a87f5d4c3d2b3a208bd37e52d6707592c8047b5ad5656bba18ab0af5c1f144
Instruction Fuzzy Hash: 74615972900618AFDF019FA8DC49EEEBFB9FB08320F154515F91AAB2A1D7709940DF90

Function 005C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005C1128
GetDesktopWindow.USER32 ref: 005C113D
GetWindowRect.USER32(00000000), ref: 005C1144
GetWindowLongW.USER32(?,000000F0), ref: 005C1199
DestroyWindow.USER32(?), ref: 005C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005C1245
IsWindowVisible.USER32(00000000), ref: 005C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005C12D0
GetWindowRect.USER32(00000000,?), ref: 005C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005C130E
GetMonitorInfoW.USER32(00000000,?), ref: 005C1328
CopyRect.USER32(?,?), ref: 005C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005C13AA

Strings

tooltips_class32, xrefs: 005C11E6
0, xrefs: 005C10D3
(, xrefs: 005C131B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 4c853b0ba73efb747f456a5369381dddb6b102a5449326fa8337ffd35b1b9e07
Instruction ID: 45819abec64ab79e3b7c8c404de13300a2a6b8aff01c8511b8686d676ecba11f
Opcode Fuzzy Hash: 4c853b0ba73efb747f456a5369381dddb6b102a5449326fa8337ffd35b1b9e07
Instruction Fuzzy Hash: 45B16771608741AFD700DF68C988F6ABFE4FB89744F00891CF9999B262D771E844CB95

Function 005C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005C02E5
_wcslen.LIBCMT ref: 005C031F
_wcslen.LIBCMT ref: 005C0389
_wcslen.LIBCMT ref: 005C03F1
_wcslen.LIBCMT ref: 005C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005C0504

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

Part of subcall function 0059223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00592258
Part of subcall function 0059223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0059228A

Strings

GETITEMCOUNT, xrefs: 005C0316, 005C0337
SELECTCLEAR, xrefs: 005C052D
ISSELECTED, xrefs: 005C04DD
SELECT, xrefs: 005C0548
GETTEXT, xrefs: 005C03EC, 005C0407
SELECTALL, xrefs: 005C0515
DESELECT, xrefs: 005C059C
GETSELECTED, xrefs: 005C05E1
GETSUBITEMCOUNT, xrefs: 005C0384, 005C039F
VIEWCHANGE, xrefs: 005C0675
SELECTINVERT, xrefs: 005C057E
FINDITEM, xrefs: 005C0627
GETSELECTEDCOUNT, xrefs: 005C0470, 005C048B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 58273b59902b8f887d6644b5e3ca333cd0795e5150323243d41809819aa74759
Instruction ID: 90b512d5113eac7a2b2c2aba55cbe2563fa83d5c9df937100edb541352eda1f0
Opcode Fuzzy Hash: 58273b59902b8f887d6644b5e3ca333cd0795e5150323243d41809819aa74759
Instruction Fuzzy Hash: A3E19A31208202DFCB18DF68C590E2ABBE6BFC8714F14595CF8969B2A1DB30ED45CB81

Function 00548891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00548968
GetSystemMetrics.USER32(00000007), ref: 00548970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0054899B
GetSystemMetrics.USER32(00000008), ref: 005489A3
GetSystemMetrics.USER32(00000004), ref: 005489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00548A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00548A3C
GetClientRect.USER32(00000000,000000FF), ref: 00548A5A
GetStockObject.GDI32(00000011), ref: 00548A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00548A81

Part of subcall function 0054912D: GetCursorPos.USER32(?), ref: 00549141
Part of subcall function 0054912D: ScreenToClient.USER32(00000000,?), ref: 0054915E
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000001), ref: 00549183
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000002), ref: 0054919D

SetTimer.USER32(00000000,00000000,00000028,005490FC), ref: 00548AA8

Strings

AutoIt v3 GUI, xrefs: 00548A20

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bf170a87714a13a03530076460430b0e6291d7abb39cfbd9f2095a7a046a7064
Instruction ID: f9f0f731fe2aabada6314d6e5717f70b0c269bda94e46d53661b24ec3cddfe46
Opcode Fuzzy Hash: bf170a87714a13a03530076460430b0e6291d7abb39cfbd9f2095a7a046a7064
Instruction Fuzzy Hash: 2AB15A71A4020A9FDB14DFA8DD49BEE3FB5FB48314F104229FA19EB290DB70A941CB51

Function 00590D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
Part of subcall function 005910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
Part of subcall function 005910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
Part of subcall function 005910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00590DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00590E29
GetLengthSid.ADVAPI32(?), ref: 00590E40
GetAce.ADVAPI32(?,00000000,?), ref: 00590E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00590E96
GetLengthSid.ADVAPI32(?), ref: 00590EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00590EB5
HeapAlloc.KERNEL32(00000000), ref: 00590EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00590EDD
CopySid.ADVAPI32(00000000), ref: 00590EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00590F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00590F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00590F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F6E
HeapFree.KERNEL32(00000000), ref: 00590F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F7E
HeapFree.KERNEL32(00000000), ref: 00590F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F8E
HeapFree.KERNEL32(00000000), ref: 00590F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00590FA1
HeapFree.KERNEL32(00000000), ref: 00590FA8

Part of subcall function 00591193: GetProcessHeap.KERNEL32(00000008,00590BB1,?,00000000,?,00590BB1,?), ref: 005911A1
Part of subcall function 00591193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00590BB1,?), ref: 005911A8
Part of subcall function 00591193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00590BB1,?), ref: 005911B7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f58508341889ee57d17483a5408f7789fab1856a56b11b8117863b76346accdb
Instruction ID: 0a4e09a676da9c561ee34493323b2ad1de5254acb4bd59cc34932f5e4ad10a03
Opcode Fuzzy Hash: f58508341889ee57d17483a5408f7789fab1856a56b11b8117863b76346accdb
Instruction Fuzzy Hash: FD71587290061AAFDF20DFA5DC48FAEBFB8FF14300F148515F919A6291D7319A09CB60

Function 005BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005CCC08,00000000,?,00000000,?,?), ref: 005BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005BC5A4
_wcslen.LIBCMT ref: 005BC5F4
_wcslen.LIBCMT ref: 005BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005BC84D
RegCloseKey.ADVAPI32(?), ref: 005BC881
RegCloseKey.ADVAPI32(00000000), ref: 005BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005BC960

Strings

REG_DWORD, xrefs: 005BC804
REG_EXPAND_SZ, xrefs: 005BC5CD
REG_SZ, xrefs: 005BC644
REG_QWORD, xrefs: 005BC8C3
REG_BINARY, xrefs: 005BC913
REG_MULTI_SZ, xrefs: 005BC6F5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 72e3d2fae163176ce568a9afe0b9f4193458958913bb0b27e46e11ce17cf48cc
Instruction ID: 2d436524994179ed384e89d6c26660360165fe104be405fd3d11435166e53c0d
Opcode Fuzzy Hash: 72e3d2fae163176ce568a9afe0b9f4193458958913bb0b27e46e11ce17cf48cc
Instruction Fuzzy Hash: 8B1244756042029FDB24DF14C895A6ABFE5FF88714F04885DF88A9B2A2DB31FD41CB85

Function 005C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005C09C6
_wcslen.LIBCMT ref: 005C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005C0A54
_wcslen.LIBCMT ref: 005C0A8A
_wcslen.LIBCMT ref: 005C0B06
_wcslen.LIBCMT ref: 005C0B81

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

Part of subcall function 00592BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00592BFA

Strings

GETTEXT, xrefs: 005C0C97
GETTOTALCOUNT, xrefs: 005C09F2, 005C0A17
GETITEMCOUNT, xrefs: 005C0C1E
EXPAND, xrefs: 005C0BF8
EXISTS, xrefs: 005C0B7C, 005C0B97
CHECK, xrefs: 005C0A85, 005C0AA0
UNCHECK, xrefs: 005C0D3E
COLLAPSE, xrefs: 005C0B01, 005C0B1C
GETSELECTED, xrefs: 005C0C4E
ISCHECKED, xrefs: 005C0CE1
SELECT, xrefs: 005C0D11

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4fdfdb5448f8c02961840ca4cb40a2f84403082f6f46aa06a51e08657cd496ee
Instruction ID: 8e3433f50ff2c12ab9dbc128aace2417059c73e62577bdfa7887ebd976197bf9
Opcode Fuzzy Hash: 4fdfdb5448f8c02961840ca4cb40a2f84403082f6f46aa06a51e08657cd496ee
Instruction Fuzzy Hash: C2E16835208706DFCB14DF68C450A2ABBE1BF98318F14895DF8969B3A2DB31ED45CB81

Function 005BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
_wcslen.LIBCMT ref: 005BC9F1
_wcslen.LIBCMT ref: 005BCA68
_wcslen.LIBCMT ref: 005BCA9E
_wcslen.LIBCMT ref: 005BCAF9
_wcslen.LIBCMT ref: 005BCB2F
_wcslen.LIBCMT ref: 005BCB7F

Strings

HKEY_CURRENT_USER, xrefs: 005BCBBD
HKU, xrefs: 005BCBF0
HKEY_USERS, xrefs: 005BCBDF
HKCU, xrefs: 005BCBCE
HKLM, xrefs: 005BCA98, 005BCA9D
HKEY_LOCAL_MACHINE, xrefs: 005BCA62, 005BCA67
HKCC, xrefs: 005BCBAC
HKEY_CLASSES_ROOT, xrefs: 005BCAF3, 005BCAF8
HKCR, xrefs: 005BCB29, 005BCB2E
HKEY_CURRENT_CONFIG, xrefs: 005BCB79, 005BCB7E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 836eb1b7f986428d9c279ec65a5544efde898d05aaeb5d4644a1affb40806528
Instruction ID: c4496f53a124772a1fa01ad2fe1e341caf2086ddab0938af21b6d2fc152e8963
Opcode Fuzzy Hash: 836eb1b7f986428d9c279ec65a5544efde898d05aaeb5d4644a1affb40806528
Instruction Fuzzy Hash: C971F43260012B8BCB20DE6CCD515FF3F91BBA5754F650529FC66AB284E634ED8483A8

Function 005C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005C835A
_wcslen.LIBCMT ref: 005C836E
_wcslen.LIBCMT ref: 005C8391
_wcslen.LIBCMT ref: 005C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005C5BF2), ref: 005C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8501
FreeLibrary.KERNEL32(?), ref: 005C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005C851D
DestroyIcon.USER32(?,?,?,?,?,005C5BF2), ref: 005C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005C8555

Strings

.dll, xrefs: 005C83AB
.exe, xrefs: 005C8388
.icl, xrefs: 005C8368

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ec036bd47a50715fdd1acae6348811444516dcbbc69feb928bb7f632192775b9
Instruction ID: bd598b08457eca460381ee76279e201ba026e64ca126ada906ea30a3cab6d549
Opcode Fuzzy Hash: ec036bd47a50715fdd1acae6348811444516dcbbc69feb928bb7f632192775b9
Instruction Fuzzy Hash: AB61E37150061ABEEB14CFA4CC85FBE7FA8FB48B11F10450AF915D61D1DBB4A984DBA0

Function 00537778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00575169
", xrefs: 00575153
#OnAutoItStartRegister, xrefs: 00537817
#include, xrefs: 00537847
Cannot parse #include, xrefs: 00575279
#comments-start, xrefs: 0053785F, 005378B1
#comments-end, xrefs: 005378D9
Unterminated group of comments, xrefs: 0057528C
#notrayicon, xrefs: 005377E7
#ce, xrefs: 005378ED
Bad directive syntax error, xrefs: 0057519A
#include-once, xrefs: 0053782F
#requireadmin, xrefs: 005377FF
#pragma compile, xrefs: 005377D3
#cs, xrefs: 00537873, 005378C5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 29b65cc3220f144bbd5ccdc64ebb79528eba61323a65cffb6f1518dee33b0e8d
Instruction ID: c9acbb9a6f00c8e2cd2a4e1695aaa173be04019e8e90f8c1f77a1e45df467603
Opcode Fuzzy Hash: 29b65cc3220f144bbd5ccdc64ebb79528eba61323a65cffb6f1518dee33b0e8d
Instruction Fuzzy Hash: B881FBB1A0460ABFDB21AF60DC46FBE7FA8FF58300F044425F909AA192EB70D915D791

Function 005A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005A3EF8
_wcslen.LIBCMT ref: 005A3F03
_wcslen.LIBCMT ref: 005A3F5A
_wcslen.LIBCMT ref: 005A3F98
GetDriveTypeW.KERNEL32(?), ref: 005A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A4087

Strings

open, xrefs: 005A3F54, 005A3F59
open , xrefs: 005A3FE5
closed, xrefs: 005A3F08, 005A3F2D, 005A3F46, 005A3F7E, 005A3F97
close cd wait, xrefs: 005A4072
type cdaudio alias cd wait, xrefs: 005A4001
set cd door , xrefs: 005A4028
wait, xrefs: 005A4044
close, xrefs: 005A3EFE, 005A3F18

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a33982a734df5b75536ebc7991c652fc0fe77944e8715f81d97099fed9d23a53
Instruction ID: a0f34ff728415005baac71188a4b47bd895effd61e4ff6133caa08e2014a55ba
Opcode Fuzzy Hash: a33982a734df5b75536ebc7991c652fc0fe77944e8715f81d97099fed9d23a53
Instruction Fuzzy Hash: 7571AA726042069FC310EF24C88586EBFE4FF95758F10892DF99697261EB34EE49CB91

Function 00595A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00595A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00595A40
SetWindowTextW.USER32(?,?), ref: 00595A57
GetDlgItem.USER32(?,000003EA), ref: 00595A6C
SetWindowTextW.USER32(00000000,?), ref: 00595A72
GetDlgItem.USER32(?,000003E9), ref: 00595A82
SetWindowTextW.USER32(00000000,?), ref: 00595A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00595AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00595AC3
GetWindowRect.USER32(?,?), ref: 00595ACC
_wcslen.LIBCMT ref: 00595B33
SetWindowTextW.USER32(?,?), ref: 00595B6F
GetDesktopWindow.USER32 ref: 00595B75
GetWindowRect.USER32(00000000), ref: 00595B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00595BD3
GetClientRect.USER32(?,?), ref: 00595BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00595C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00595C2F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d874444061762aa0c3f93a56c9a6b931061bffcaacef490cc60e7dab9ddd4981
Instruction ID: 87070ff37b4f14ce82e7dfbddfc15616cdce8f87abca38364bc9160fb3769e18
Opcode Fuzzy Hash: d874444061762aa0c3f93a56c9a6b931061bffcaacef490cc60e7dab9ddd4981
Instruction Fuzzy Hash: F6718C31900B09AFDF21DFA8CE89E6EBFF5FF48705F104918E586A25A0E774A954CB50

Function 005AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 005AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 005AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 005AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 005AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 005AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 005AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 005AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 005AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 005AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 005AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 005AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 005AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 005AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 005AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 005AFECC
GetCursorInfo.USER32(?), ref: 005AFEDC
GetLastError.KERNEL32 ref: 005AFF1E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 27dbcb5725089cfccd5dc8989dc1f9491606c51ba731ff61c080adf3c0b4bfd5
Instruction ID: 92602c4ca9a79426303ff04a322a73a4a36d616c9d4ae3c4f7159491160f7a3b
Opcode Fuzzy Hash: 27dbcb5725089cfccd5dc8989dc1f9491606c51ba731ff61c080adf3c0b4bfd5
Instruction Fuzzy Hash: 014142B0D043196EDB109FBA8C89C5EBFE8FF05754B54452AE11DE7281DB78A901CF91

Function 005930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059318D
_wcslen.LIBCMT ref: 005931F8

Strings

REGEXPCLASS, xrefs: 00593255, 00593266
CLASSNN, xrefs: 005931F3, 00593204
NAME, xrefs: 00593335, 00593346
CLASS, xrefs: 00593188, 005931A5
TEXT, xrefs: 0059347C
INSTANCE, xrefs: 00593453
[_, xrefs: 0059339A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[_
API String ID: 176396367-468327195
Opcode ID: c8b8a3b793519889321daa4458d79dcf56ab134f05cc9fd2be03ec13ad42127f
Instruction ID: 50e3bbee71b93f7550331867094bb0025617c209d1557053c75ce0f78c5c8907
Opcode Fuzzy Hash: c8b8a3b793519889321daa4458d79dcf56ab134f05cc9fd2be03ec13ad42127f
Instruction Fuzzy Hash: E5E1F432A00516EBCF189FA8C4556FEFFB0BF44710F55852AE556B7250EB30AE89CB90

Function 005500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005500C6

Part of subcall function 005500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0060070C,00000FA0,D1C66CF8,?,?,?,?,005723B3,000000FF), ref: 0055011C
Part of subcall function 005500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005723B3,000000FF), ref: 00550127
Part of subcall function 005500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005723B3,000000FF), ref: 00550138
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0055014E
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0055015C
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0055016A
Part of subcall function 005500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00550195
Part of subcall function 005500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005501A0

___scrt_fastfail.LIBCMT ref: 005500E7

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00550122
WakeAllConditionVariable, xrefs: 00550162
InitializeConditionVariable, xrefs: 00550148
kernel32.dll, xrefs: 00550133
SleepConditionVariableCS, xrefs: 00550154

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e610ecb7385b390d71097dec6c3232690aa99221e620150b3882dd130ea58583
Instruction ID: 1ce5aa71fe78cb3d5ff60faf7c38a5414d49fadc69dc7f72e8d0ba9aab7497e2
Opcode Fuzzy Hash: e610ecb7385b390d71097dec6c3232690aa99221e620150b3882dd130ea58583
Instruction Fuzzy Hash: 23210732644B116FE7105BA4AC19F6A3F99FB44B62F04012BFC06966D1DF649C08CA91

Function 005A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005CCC08), ref: 005A4527
_wcslen.LIBCMT ref: 005A453B
_wcslen.LIBCMT ref: 005A4599
_wcslen.LIBCMT ref: 005A45F4
_wcslen.LIBCMT ref: 005A463F
_wcslen.LIBCMT ref: 005A46A7

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

GetDriveTypeW.KERNEL32(?,005F6BF0,00000061), ref: 005A4743

Strings

fixed, xrefs: 005A4635, 005A463A
unknown, xrefs: 005A4708
ramdisk, xrefs: 005A46F1
network, xrefs: 005A469D, 005A46A2
cdrom, xrefs: 005A458F, 005A4594
all, xrefs: 005A4531, 005A4536
removable, xrefs: 005A45EA, 005A45EF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1484c722d87794a32ab710f134fd037316823dd6b10a324290dda19c0c4def7c
Instruction ID: 5438b9e8ec06bad4e2fe19e43226d6712da62c01e7efa65430f44813fb325daa
Opcode Fuzzy Hash: 1484c722d87794a32ab710f134fd037316823dd6b10a324290dda19c0c4def7c
Instruction Fuzzy Hash: ECB1EE716083029BC710DF68C894A6EBFE5BFEA720F50491DF59687291E7B0D845CF62

Function 005C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DragQueryPoint.SHELL32(?,?), ref: 005C9147

Part of subcall function 005C7674: ClientToScreen.USER32(?,?), ref: 005C769A
Part of subcall function 005C7674: GetWindowRect.USER32(?,?), ref: 005C7710
Part of subcall function 005C7674: PtInRect.USER32(?,?,005C8B89), ref: 005C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005C9277
DragFinish.SHELL32(?), ref: 005C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005C9371

Strings

@GUI_DRAGID, xrefs: 005C92E9
p#`, xrefs: 005C92BB
@GUI_DROPID, xrefs: 005C929E
@GUI_DRAGFILE, xrefs: 005C9320

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#`
API String ID: 221274066-1039879429
Opcode ID: 280d1e60719bdd67d32ef5ba20c78b54c2d5c574bd7f3aac17c47c6308dbb621
Instruction ID: 3f9651f9f728ecd2dae8301645719c0ddaad37998db1bcc06db3d5eb70c9e94c
Opcode Fuzzy Hash: 280d1e60719bdd67d32ef5ba20c78b54c2d5c574bd7f3aac17c47c6308dbb621
Instruction Fuzzy Hash: 4C615971108305AFC701DF54D889EABBFE9FBD9750F00091EF595962A0DB709A49CB52

Function 005BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005BB1D4
_wcslen.LIBCMT ref: 005BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005BB236
_wcslen.LIBCMT ref: 005BB332

Part of subcall function 005A05A7: GetStdHandle.KERNEL32(000000F6), ref: 005A05C6

_wcslen.LIBCMT ref: 005BB34B
_wcslen.LIBCMT ref: 005BB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005BB3B6
GetLastError.KERNEL32(00000000), ref: 005BB407
CloseHandle.KERNEL32(?), ref: 005BB439
CloseHandle.KERNEL32(00000000), ref: 005BB44A
CloseHandle.KERNEL32(00000000), ref: 005BB45C
CloseHandle.KERNEL32(00000000), ref: 005BB46E
CloseHandle.KERNEL32(?), ref: 005BB4E3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: cfadb4851a4d77868a883063efad834b81f3b0e9f8f6e4b0af91987de38b42e8
Instruction ID: 71d9779d5491242e0eb6cf436a9d8f3912f41d1ae63f11e709d5696f33adde81
Opcode Fuzzy Hash: cfadb4851a4d77868a883063efad834b81f3b0e9f8f6e4b0af91987de38b42e8
Instruction Fuzzy Hash: 02F19A715042059FDB24EF24C895BAEBFE1BF85314F14885DF8998B2A2DBB1EC44CB52

Function 0053326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00601990), ref: 00572F8D
GetMenuItemCount.USER32(00601990), ref: 0057303D
GetCursorPos.USER32(?), ref: 00573081
SetForegroundWindow.USER32(00000000), ref: 0057308A
TrackPopupMenuEx.USER32(00601990,00000000,?,00000000,00000000,00000000), ref: 0057309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005730A9

Strings

0, xrefs: 0053327D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 98e4ab9f43182dc386b1311ad5a1ed64c335167465a3e6faa739e52afe8d017c
Instruction ID: 5c97da3af83890d1be6de1fd4968be4b9d215739d6b9c05e3e90e89d5ac890ab
Opcode Fuzzy Hash: 98e4ab9f43182dc386b1311ad5a1ed64c335167465a3e6faa739e52afe8d017c
Instruction Fuzzy Hash: 0071F731644206BEFB218F64DC4EFAABF64FF05364F208216F5186A1E0C7B1AD54EB90

Function 005C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 005C6DEB

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C6E94
DestroyWindow.USER32(?), ref: 005C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00530000,00000000), ref: 005C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C6EFD
GetDesktopWindow.USER32 ref: 005C6F16
GetWindowRect.USER32(00000000), ref: 005C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005C6F4D

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

Strings

tooltips_class32, xrefs: 005C6E58, 005C6EDD
0, xrefs: 005C6D98

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2f1607d8ba586af2e8c9c6d7b4e6378fa353d7a709ebb3ba57a075fabc826e41
Instruction ID: b92f32b644f63f14534df0497e0aeedf73c90c403d977fc84f14f164c582896c
Opcode Fuzzy Hash: 2f1607d8ba586af2e8c9c6d7b4e6378fa353d7a709ebb3ba57a075fabc826e41
Instruction Fuzzy Hash: 28715874144245AFDB21CF58D898FABBFE9FF89304F04041EF9998B261C770AA49DB11

Function 005AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005AC5F0
InternetCloseHandle.WININET(00000000), ref: 005AC5FB

Strings

, xrefs: 005AC575

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 72900a12706e7e53325d15489805f5c1c432741f32929d14fdeda3e8cac703cd
Instruction ID: fdcd249dbd171ca0a897169532de3578557fde499f766bd3ae98b3e1ef8badcd
Opcode Fuzzy Hash: 72900a12706e7e53325d15489805f5c1c432741f32929d14fdeda3e8cac703cd
Instruction Fuzzy Hash: 9B513BB1500605BFDB219F64C948EAE7FFCFF1A754F004419F94996610EB34E948ABA0

Function 005C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85BA
GlobalLock.KERNEL32(00000000), ref: 005C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85D7
GlobalUnlock.KERNEL32(00000000), ref: 005C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005CFC38,?), ref: 005C8611
GlobalFree.KERNEL32(00000000), ref: 005C8621
GetObjectW.GDI32(?,00000018,?), ref: 005C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005C8671
DeleteObject.GDI32(?), ref: 005C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005C86AF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1c6753a82469b6fdce0cf301028b6dced35b690017bb488d0ef2d5158dbbbf14
Instruction ID: a45763729a90a2816d69118993c75d16857f314e1ecae9ca9316a6f6ac450d2d
Opcode Fuzzy Hash: 1c6753a82469b6fdce0cf301028b6dced35b690017bb488d0ef2d5158dbbbf14
Instruction Fuzzy Hash: EA414975600604BFDB118FA5CC88EAA7FB8FF99B11F144058F909E7260DB709D45DB20

Function 005A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005A1502
VariantCopy.OLEAUT32(?,?), ref: 005A150B
VariantClear.OLEAUT32(?), ref: 005A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 005A1657
VariantInit.OLEAUT32(?), ref: 005A1708
SysFreeString.OLEAUT32(?), ref: 005A178C
VariantClear.OLEAUT32(?), ref: 005A17D8
VariantClear.OLEAUT32(?), ref: 005A17E7
VariantInit.OLEAUT32(00000000), ref: 005A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005A1625
Default, xrefs: 005A16AF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: abcb951a681ea957c4ee3710377868dec9eeec4ec0bd9ce8a3c16bee47851757
Instruction ID: 5b9030c6af092063e8cb1c955d7023ffcbd101d96d13eaf8dc3f58392a487c49
Opcode Fuzzy Hash: abcb951a681ea957c4ee3710377868dec9eeec4ec0bd9ce8a3c16bee47851757
Instruction Fuzzy Hash: 83D10071E00906EBDB049FA5E899BBDBFB5BF8A700F10845AE446AB180DB30DC45DF65

Function 005BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 005BB80A
RegCloseKey.ADVAPI32(?), ref: 005BB87E
RegCloseKey.ADVAPI32(?), ref: 005BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 005BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 005BB922
FreeLibrary.KERNEL32(00000000), ref: 005BB983
RegCloseKey.ADVAPI32(00000000), ref: 005BB994

Strings

RegDeleteKeyExW, xrefs: 005BB8FE
advapi32.dll, xrefs: 005BB8ED

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: aec7f50bf865981b98f349273f6637967f13cb1898130ed86defbf9218246bf0
Instruction ID: 41410f737803db3f849b57660e290b0e942d35fcfb5d54b3ca09676543d64767
Opcode Fuzzy Hash: aec7f50bf865981b98f349273f6637967f13cb1898130ed86defbf9218246bf0
Instruction Fuzzy Hash: 02C16935208202AFE714DF14C499F6ABFE5FF84318F14855CE49A9B2A2CBB1ED45CB91

Function 005B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005B25E8
CreateCompatibleDC.GDI32(?), ref: 005B25F4
SelectObject.GDI32(00000000,?), ref: 005B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005B26D0
SelectObject.GDI32(?,?), ref: 005B26D8
DeleteObject.GDI32(?), ref: 005B26E1
DeleteDC.GDI32(?), ref: 005B26E8
ReleaseDC.USER32(00000000,?), ref: 005B26F3

Strings

(, xrefs: 005B268D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f982930baf1653ae9e9c443a5569f42dfe071a0b1e6f0ec21bd9f23aed73298d
Instruction ID: 0349a762db71da15f00645fe6d3e8b2e625519405023a5578657343fece066a3
Opcode Fuzzy Hash: f982930baf1653ae9e9c443a5569f42dfe071a0b1e6f0ec21bd9f23aed73298d
Instruction Fuzzy Hash: 1461E175D00219EFCF04CFA8D888EAEBBB5FF58310F248529E95AA7250D770A951DF60

Function 0056DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0056DAA1

Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D659
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D66B
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D67D
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D68F
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6A1
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6B3
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6C5
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6D7
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6E9
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6FB
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D70D
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D71F
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D731

_free.LIBCMT ref: 0056DA96

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056DAB8
_free.LIBCMT ref: 0056DACD
_free.LIBCMT ref: 0056DAD8
_free.LIBCMT ref: 0056DAFA
_free.LIBCMT ref: 0056DB0D
_free.LIBCMT ref: 0056DB1B
_free.LIBCMT ref: 0056DB26
_free.LIBCMT ref: 0056DB5E
_free.LIBCMT ref: 0056DB65
_free.LIBCMT ref: 0056DB82
_free.LIBCMT ref: 0056DB9A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 40a92d9030ef1744269eb7eeed42fa56c052f53f50a5d09671bd2673514293b4
Instruction ID: a82217adb9bbb4a8bbe444820504ea8dc60ef9be7bbef34d4b40bc9ec464e19c
Opcode Fuzzy Hash: 40a92d9030ef1744269eb7eeed42fa56c052f53f50a5d09671bd2673514293b4
Instruction Fuzzy Hash: 12312A31B046069FEB25AA79E849B6A7FF9FF80350F154829E449D71A5DE35AC80CB30

Function 0059365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0059369C
_wcslen.LIBCMT ref: 005936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00593797
GetClassNameW.USER32(?,?,00000400), ref: 0059380C
GetDlgCtrlID.USER32(?), ref: 0059385D
GetWindowRect.USER32(?,?), ref: 00593882
GetParent.USER32(?), ref: 005938A0
ScreenToClient.USER32(00000000), ref: 005938A7
GetClassNameW.USER32(?,?,00000100), ref: 00593921
GetWindowTextW.USER32(?,?,00000400), ref: 0059395D

Strings

%s%u, xrefs: 00593734

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ba36e584deb5888745da5a5b1fd406cd96be6d6cb0ededfeadf56941ac3d0cca
Instruction ID: df43088617da633b96874a34057f823c391a912bcf2900b2cb5b0399c78b8359
Opcode Fuzzy Hash: ba36e584deb5888745da5a5b1fd406cd96be6d6cb0ededfeadf56941ac3d0cca
Instruction Fuzzy Hash: 4791A371204606EFDB19DF64C895FAAFFA8FF44354F008529F999D2190DB30EA49CB91

Function 00594954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00594994
GetWindowTextW.USER32(?,?,00000400), ref: 005949DA
_wcslen.LIBCMT ref: 005949EB
CharUpperBuffW.USER32(?,00000000), ref: 005949F7
_wcsstr.LIBVCRUNTIME ref: 00594A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00594A64
GetWindowTextW.USER32(?,?,00000400), ref: 00594A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00594AE6
GetClassNameW.USER32(?,?,00000400), ref: 00594B20
GetWindowRect.USER32(?,?), ref: 00594B8B

Strings

ThumbnailClass, xrefs: 00594A6F, 00594AF1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 806797d3bcc0c483663129d45e5340fe3806f9cdd0983a753cddb6a5b332b713
Instruction ID: 26f4b1c9bcc62b886844817a8196fb3069de2e02047705bab01b89a6297b0708
Opcode Fuzzy Hash: 806797d3bcc0c483663129d45e5340fe3806f9cdd0983a753cddb6a5b332b713
Instruction Fuzzy Hash: 81918A710042069FDF04CF14C995FAA7FE9FB84314F04846AED899A196EB34ED4ACFA1

Function 005C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005C8D5A
GetFocus.USER32 ref: 005C8D6A
GetDlgCtrlID.USER32(00000000), ref: 005C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005C8ECF
GetMenuItemCount.USER32(?), ref: 005C8EEC
GetMenuItemID.USER32(?,00000000), ref: 005C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005C8FA1

Strings

0, xrefs: 005C8E9F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: cd320f496c828fb031e78c656a222b5c6a4f57bc84e0f02e88a656950efb7a81
Instruction ID: 7c4ec4db40486a9cd9669de4f9ef8e7fcd7bfa18843448bada1446f9f5eeb8c4
Opcode Fuzzy Hash: cd320f496c828fb031e78c656a222b5c6a4f57bc84e0f02e88a656950efb7a81
Instruction Fuzzy Hash: 08815571508301AFDB108F64C888EBBBBE9BB89354F14095DF98997291DB70D905DBA2

Function 0059DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0059DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0059DC46
_wcslen.LIBCMT ref: 0059DC50
_wcsstr.LIBVCRUNTIME ref: 0059DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0059DCBC

Strings

DefaultLangCodepage, xrefs: 0059DD1F
04090000, xrefs: 0059DCF2
\VarFileInfo\Translation, xrefs: 0059DCB4
StringFileInfo\, xrefs: 0059DC8F
%u.%u.%u.%u, xrefs: 0059DD9A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a95e014e7e68bc11c82af33caf5021709e23ba3a0f2dafa2218c702c334f3c73
Instruction ID: c0ac722f5a13eab9168849c1d3b6bd15fc15e4b5d8cbf0c8b383dcd4a47b426f
Opcode Fuzzy Hash: a95e014e7e68bc11c82af33caf5021709e23ba3a0f2dafa2218c702c334f3c73
Instruction Fuzzy Hash: BC4122729402067ADB14ABB48C0BEFF7FBCFF91751F10046AF904A6192EB68990597B4

Function 005BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005BCD48

Part of subcall function 005BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005BCCAA
Part of subcall function 005BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005BCCBD
Part of subcall function 005BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005BCCCF
Part of subcall function 005BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005BCD05
Part of subcall function 005BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 005BCCF3

Strings

RegDeleteKeyExW, xrefs: 005BCCC9
advapi32.dll, xrefs: 005BCCB8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: cb10ad81c33ca2e95f20f7658c5d40e9d4f1a1b4d67f476f1ee011a6ba2d669f
Instruction ID: b40677c191cab97b6a7954581aa495653ee715d1813fa10ebebf6e215a3a6e10
Opcode Fuzzy Hash: cb10ad81c33ca2e95f20f7658c5d40e9d4f1a1b4d67f476f1ee011a6ba2d669f
Instruction Fuzzy Hash: DA316E75901129BFDB208B55DC88EFFBF7CFF65750F000165E909E6240DA34AE49EAA4

Function 005A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005A3D40
_wcslen.LIBCMT ref: 005A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 005A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 005A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005A3E55
CloseHandle.KERNEL32(00000000), ref: 005A3E60
CloseHandle.KERNEL32(00000000), ref: 005A3E6B

Strings

:, xrefs: 005A3D82
\, xrefs: 005A3D77
\??\%s, xrefs: 005A3D5B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 821ac692a5e1e1fb5dba9f40c651cc0bf3618d6347c880814b3fbd94c59bb1d1
Instruction ID: 9a8ab9726b4cfc653a30c9cc0a3facf56467c8b0f14fba7e0ad4f3400ea64231
Opcode Fuzzy Hash: 821ac692a5e1e1fb5dba9f40c651cc0bf3618d6347c880814b3fbd94c59bb1d1
Instruction Fuzzy Hash: 513194B690010AABDB219BA0DC49FEF3BBCFF89744F1041B5F509D6160E77497488B64

Function 0059E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0059E6B4

Part of subcall function 0054E551: timeGetTime.WINMM(?,?,0059E6D4), ref: 0054E555

Sleep.KERNEL32(0000000A), ref: 0059E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0059E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0059E727
SetActiveWindow.USER32 ref: 0059E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0059E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0059E773
Sleep.KERNEL32(000000FA), ref: 0059E77E
IsWindow.USER32 ref: 0059E78A
EndDialog.USER32(00000000), ref: 0059E79B

Strings

BUTTON, xrefs: 0059E719

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e0719680ffcfd7792ad7aa08414e9be12c302b7e55e8b9d6bf77b12acf1905b7
Instruction ID: 0decd3243bf9ac8c3a9e0846c1b023a20c8ecff4469dd13c1feddc0b12aef880
Opcode Fuzzy Hash: e0719680ffcfd7792ad7aa08414e9be12c302b7e55e8b9d6bf77b12acf1905b7
Instruction Fuzzy Hash: 09219370240646AFEF009F64EC9EE263F6AFB65748F142424F509855A1DB72AC84EB25

Function 0059E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0059EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0059EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0059EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0059EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0059EAA7

Strings

status PlayMe mode, xrefs: 0059EA58
open , xrefs: 0059EA0C
play PlayMe, xrefs: 0059EAA2
close PlayMe, xrefs: 0059EA6E, 0059EA9B
alias PlayMe, xrefs: 0059EA36
play PlayMe wait, xrefs: 0059EA91

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 44bcd3d30f457ed2a8028430fa5b66b8d011e90b60f7f331d6b79b12185427c2
Instruction ID: 84a7a9473d53167ed89ca24f2841cd1b69a746f4df657ff5c78fb56adb2a1386
Opcode Fuzzy Hash: 44bcd3d30f457ed2a8028430fa5b66b8d011e90b60f7f331d6b79b12185427c2
Instruction Fuzzy Hash: 85111F61A9025E79DB20E7A1DD4EEFB6F7CFBD1B40F400429B511A20E1EAB45945C6B0

Function 00595CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00595CE2
GetWindowRect.USER32(00000000,?), ref: 00595CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00595D59
GetDlgItem.USER32(?,00000002), ref: 00595D69
GetWindowRect.USER32(00000000,?), ref: 00595D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00595DCF
GetDlgItem.USER32(?,000003E9), ref: 00595DDD
GetWindowRect.USER32(00000000,?), ref: 00595DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00595E31
GetDlgItem.USER32(?,000003EA), ref: 00595E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00595E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00595E67

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 80c20c181b94a78fc543f1319f8205e779288228df5a1e3b4824a612f7939540
Instruction ID: 72df9c01c6ad39335927be00a3509835334bb4b1f1530240c6f468eb8606d58b
Opcode Fuzzy Hash: 80c20c181b94a78fc543f1319f8205e779288228df5a1e3b4824a612f7939540
Instruction Fuzzy Hash: 6D51FFB1A00605AFDF19CF68DD89EAE7FB9FB58300F548129F51AE6290E7709E14CB50

Function 00548BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00548F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00548BE8,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 00548FC5

DestroyWindow.USER32(?), ref: 00548C81
KillTimer.USER32(00000000,?,?,?,?,00548BBA,00000000,?), ref: 00548D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00586973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 005869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 005869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000), ref: 005869D4
DeleteObject.GDI32(00000000), ref: 005869E6

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c55ee7c463be929ddf3ed8a25a5de7d065c217b9e898ed20413c548d39290795
Instruction ID: f6ffaa30c16bc84f225d0460ffd282aca25e6a82a7d8f9bef3381e02ffcbebfa
Opcode Fuzzy Hash: c55ee7c463be929ddf3ed8a25a5de7d065c217b9e898ed20413c548d39290795
Instruction Fuzzy Hash: AA617A30502A11DFCB25AF14D988BBA7FF2FB5131AF145919E446AA5A0CB31AD84DF90

Function 00549838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

GetSysColor.USER32(0000000F), ref: 00549862

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0c73aa85ecb902c3d9fde0704a1c7a869feea2e9e48f5ba63a126efca5fcb9f5
Instruction ID: 4951025a8b0963a06e26914b31cc6f9c43acae57e942424c56a84ee52ff63364
Opcode Fuzzy Hash: 0c73aa85ecb902c3d9fde0704a1c7a869feea2e9e48f5ba63a126efca5fcb9f5
Instruction Fuzzy Hash: AB419F31104A049FDB209B3C9C89FFA3F65FB56324F284655FAA6971E1D7309842EB10

Function 00568D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.U, xrefs: 0056903A, 00568FD0, 00568FF2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: .U
API String ID: 0-2997353397
Opcode ID: cfcaf17f1b0ea850f85db2016d3bb9130034a0d8a183fbb56ed16e01f51b505a
Instruction ID: 31df2f2938c69ca84d3b07f6e07b645109babbff1a5159a10fdfe7953a7ae396
Opcode Fuzzy Hash: cfcaf17f1b0ea850f85db2016d3bb9130034a0d8a183fbb56ed16e01f51b505a
Instruction Fuzzy Hash: C7C10578D0424AAFDF11DFA8D849BBDBFB9BF49320F144199E815A7392CB309941CB61

Function 005996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0057F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00599717
LoadStringW.USER32(00000000,?,0057F7F8,00000001), ref: 00599720

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0057F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00599742
LoadStringW.USER32(00000000,?,0057F7F8,00000001), ref: 00599745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00599866

Strings

Line %d (File "%s"):, xrefs: 0059978F
Line %d:, xrefs: 005997A0
%s (%d) : ==> %s: %s %s, xrefs: 0059984A
^ ERROR, xrefs: 005997FB
Error: , xrefs: 0059981D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c333811222575101e8dc7e4d965e33877ed8ae6f3a7e0a3b4a378476f3bf12c2
Instruction ID: 5210451fb5f77f41235c522029456d10b61717fae482efb2db6e2602bbd7c105
Opcode Fuzzy Hash: c333811222575101e8dc7e4d965e33877ed8ae6f3a7e0a3b4a378476f3bf12c2
Instruction Fuzzy Hash: 0741407280410AAACF05EBE4CD8ADEEBB78FF95340F104429F60572092EB755F48CB61

Function 005906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00590804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0059082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00590837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0059083C

Strings

\IPC$, xrefs: 00590784
SOFTWARE\Classes\, xrefs: 0059070E
\CLSID, xrefs: 00590724

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ab3e0dfeba0150705a689c11dad643ee9739bdb4ae5aa7510a05381cf937757f
Instruction ID: 77a1d42ce4ea5be2dfa896639aa6c78b0ca6e62d73127ba96f0fc98ce1267d29
Opcode Fuzzy Hash: ab3e0dfeba0150705a689c11dad643ee9739bdb4ae5aa7510a05381cf937757f
Instruction Fuzzy Hash: F5410572800229AFDF15EBA4DC99CEDBB78FF84350F144529E905A21A0EA709A04CB90

Function 005B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B3C5C
CoInitialize.OLE32(00000000), ref: 005B3C8A
CoUninitialize.OLE32 ref: 005B3C94
_wcslen.LIBCMT ref: 005B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 005B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 005B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005B3F0E
CoGetObject.OLE32(?,00000000,005CFB98,?), ref: 005B3F2D
SetErrorMode.KERNEL32(00000000), ref: 005B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005B3FC4
VariantClear.OLEAUT32(?), ref: 005B3FD8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: c09bed7b32885f2356f9466623b8e1c934d91ec8d488275dd96e02b6da113aa1
Instruction ID: 78b9275e094f25bf4c0a4fdf8df581f31401bd3402d9f1b55052616d029be2c8
Opcode Fuzzy Hash: c09bed7b32885f2356f9466623b8e1c934d91ec8d488275dd96e02b6da113aa1
Instruction Fuzzy Hash: 02C146B16083059FD700DF68C88496BBBE9FF89748F14491DF98AAB251DB30EE05CB52

Function 005A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 005A7BA3
CoCreateInstance.OLE32(005CFD08,00000000,00000001,005F6E6C,?), ref: 005A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005A7C74
CoTaskMemFree.OLE32(?,?), ref: 005A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 005A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005A7D7A
CoTaskMemFree.OLE32(00000000), ref: 005A7D81
CoTaskMemFree.OLE32(00000000), ref: 005A7DD6
CoUninitialize.OLE32 ref: 005A7DDC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c40e27d33cd0cf3fbbaccc7e00429c20af60db032ecd93de8d6fcb190a74c762
Instruction ID: d2797c58269062bae7fce7eb63a0a4d690e50071c74319e60f99211662c2702c
Opcode Fuzzy Hash: c40e27d33cd0cf3fbbaccc7e00429c20af60db032ecd93de8d6fcb190a74c762
Instruction Fuzzy Hash: 41C13A75A04109AFCB14DFA4C898DAEBFF9FF49314F148498E81A9B261D730EE45CB90

Function 005C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C5515
CharNextW.USER32(00000158), ref: 005C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C55AC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1f9af240760281b554f76b32755f81ed0d7c3e3ae887dc71bfc9edc3094dc6cb
Instruction ID: 3d4dd0e76e55369f0eb45981cd146d1a627bf608223de231b2a96cb49f367d3e
Opcode Fuzzy Hash: 1f9af240760281b554f76b32755f81ed0d7c3e3ae887dc71bfc9edc3094dc6cb
Instruction Fuzzy Hash: BA615A31900609AFDF119FD4CC84EBE7FB9FB09720F104549F925AA291E774AAC4DBA0

Function 0058FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0058FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0058FB08
VariantInit.OLEAUT32(?), ref: 0058FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0058FB3A
VariantCopy.OLEAUT32(?,?), ref: 0058FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0058FBA1
VariantClear.OLEAUT32(?), ref: 0058FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0058FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0058FBCC
VariantClear.OLEAUT32(?), ref: 0058FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0058FBE9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 03ca029563987f9c903d9a366518b1f37699a452379d827319bda246ec0f6529
Instruction ID: 78af28701d5bea581b7b1b018025cdba1ed334bd459554cd0e39aad099594b60
Opcode Fuzzy Hash: 03ca029563987f9c903d9a366518b1f37699a452379d827319bda246ec0f6529
Instruction Fuzzy Hash: 57414035A002199FCF04EF64C898DAEBFB9FF58355F008069E94AA7261DB70A945DF90

Function 00599C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00599CA1
GetAsyncKeyState.USER32(000000A0), ref: 00599D22
GetKeyState.USER32(000000A0), ref: 00599D3D
GetAsyncKeyState.USER32(000000A1), ref: 00599D57
GetKeyState.USER32(000000A1), ref: 00599D6C
GetAsyncKeyState.USER32(00000011), ref: 00599D84
GetKeyState.USER32(00000011), ref: 00599D96
GetAsyncKeyState.USER32(00000012), ref: 00599DAE
GetKeyState.USER32(00000012), ref: 00599DC0
GetAsyncKeyState.USER32(0000005B), ref: 00599DD8
GetKeyState.USER32(0000005B), ref: 00599DEA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b437969e4351127e5eca46262f08b98366404981b6c1c60d1ca0ed72c50a6712
Instruction ID: 706cffc5a7f6e0a5ca6605a8dd4469ad0e6487019c066ece568fac4899871ba4
Opcode Fuzzy Hash: b437969e4351127e5eca46262f08b98366404981b6c1c60d1ca0ed72c50a6712
Instruction Fuzzy Hash: 9041C834504BC96EFF31976888447B5BEA07F22344F08805EDAC6575C2EBA59DC8C7A2

Function 005B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005B05BC
inet_addr.WSOCK32(?), ref: 005B061C
gethostbyname.WSOCK32(?), ref: 005B0628
IcmpCreateFile.IPHLPAPI ref: 005B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005B07B9
WSACleanup.WSOCK32 ref: 005B07BF

Strings

Ping, xrefs: 005B0676

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b8f887b406c276574b50bc8e3442543bd8d7af5209cc694e7a20d4f6d5dabf44
Instruction ID: a4b85d82c27104b850398d93bd45610d82c33ef9d2f0e51b67dd6d8cacb62c1c
Opcode Fuzzy Hash: b8f887b406c276574b50bc8e3442543bd8d7af5209cc694e7a20d4f6d5dabf44
Instruction Fuzzy Hash: 4C9159756042019FD720DF15C888F5ABFE4FB84318F1499A9E46A9B6A2CB30FD45CF91

Function 005B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 005B8CF3

Part of subcall function 00598E54: _wcslen.LIBCMT ref: 00598E77

_wcslen.LIBCMT ref: 005B8D4E
_wcslen.LIBCMT ref: 005B8D9C
_wcslen.LIBCMT ref: 005B8DDC
_wcslen.LIBCMT ref: 005B8E6E

Strings

stdcall, xrefs: 005B8DD6, 005B8DDB
winapi, xrefs: 005B8D96, 005B8D9B
cdecl, xrefs: 005B8D48, 005B8D4D
none, xrefs: 005B8E65, 005B8E6A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0b3194dac332221505a21703630697b9d7c42209ff703657ecea516b756ceedc
Instruction ID: ff13b722eb5183458dabae688a62a79150b65204a6238f5cc6d9c620d4b5d5f4
Opcode Fuzzy Hash: 0b3194dac332221505a21703630697b9d7c42209ff703657ecea516b756ceedc
Instruction Fuzzy Hash: 5751A171A041179BCF14DF68C9519FEBBA9BFA4324B20562AE826E72C4DB30ED40C790

Function 005B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005B3774
CoUninitialize.OLE32 ref: 005B377F
CoCreateInstance.OLE32(?,00000000,00000017,005CFB78,?), ref: 005B37D9
IIDFromString.OLE32(?,?), ref: 005B384C
VariantInit.OLEAUT32(?), ref: 005B38E4
VariantClear.OLEAUT32(?), ref: 005B3936

Strings

NULL Pointer assignment, xrefs: 005B381E
Invalid parameter, xrefs: 005B3865
Failed to create object, xrefs: 005B37E4, 005B389A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3d38987ec17df3ad2b8348fd74f6132496a56900a8e04022f4c6b20316af9a1d
Instruction ID: 3e3ff7b164549c9b9957170bbb6db8904b94c0650021dedcd8dd87978a1c2407
Opcode Fuzzy Hash: 3d38987ec17df3ad2b8348fd74f6132496a56900a8e04022f4c6b20316af9a1d
Instruction Fuzzy Hash: 67617DB1608701AFD710DF54C889BAABFE8FF89714F104819F585A7291D770EE49CB92

Function 005C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

Part of subcall function 0054912D: GetCursorPos.USER32(?), ref: 00549141
Part of subcall function 0054912D: ScreenToClient.USER32(00000000,?), ref: 0054915E
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000001), ref: 00549183
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000002), ref: 0054919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005C8B6B
ImageList_EndDrag.COMCTL32 ref: 005C8B71
ReleaseCapture.USER32 ref: 005C8B77
SetWindowTextW.USER32(?,00000000), ref: 005C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005C8CFF

Strings

@GUI_DROPID, xrefs: 005C8C51
@GUI_DRAGFILE, xrefs: 005C8C9A
p#`, xrefs: 005C8C71

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#`
API String ID: 1924731296-825576821
Opcode ID: f11659d830e528b399923a3f81ade1bbe5e2ab888c8296087b9c7767580a3e43
Instruction ID: 9456e36bd461044cdd1adf0208d4336b0682a0a5088751552804ea8a361d28ff
Opcode Fuzzy Hash: f11659d830e528b399923a3f81ade1bbe5e2ab888c8296087b9c7767580a3e43
Instruction Fuzzy Hash: DE515971104205AFD704DF64D89AFAB7BE5FB88714F00062DF996AB2E1CB709D44CB62

Function 005A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005A33CF

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005A33F0

Strings

Line %d (File "%s"):, xrefs: 005A3443, 005A345C
Incorrect parameters to object property !, xrefs: 005A34AB
^ ERROR , xrefs: 005A349E
"%s" (%d) : ==> %s:%s%s, xrefs: 005A3504
"%s" (%d) : ==> %s:, xrefs: 005A3522
Error: , xrefs: 005A34D1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 48dc6d93e0830fc15d151f74ee2b3e74293a0c8f53c2148be49ef5dcc8e9cfc4
Instruction ID: d34cc118c3973e580cba7a5c5bd28a394645c4f9266585948b3a1daa94fb1bed
Opcode Fuzzy Hash: 48dc6d93e0830fc15d151f74ee2b3e74293a0c8f53c2148be49ef5dcc8e9cfc4
Instruction Fuzzy Hash: 3F519F7180020AAADF19EBA4CD4AEEEBB79BF89300F104465F10572061EB752F58DB60

Function 0059B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0059B5FC
_wcslen.LIBCMT ref: 0059B608
_wcslen.LIBCMT ref: 0059B64D
_wcslen.LIBCMT ref: 0059B68C
_wcslen.LIBCMT ref: 0059B6C7

Strings

EXISTS, xrefs: 0059B686, 0059B68B
APPEND, xrefs: 0059B6C1, 0059B6C6
REMOVE, xrefs: 0059B602, 0059B607
KEYS, xrefs: 0059B647, 0059B64C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0f4186d1d3f6266fb12e1408fe39671451b5a942d61e7ebd1e5e081bd4bf5114
Instruction ID: 9f0fd93e0e5e72877d23dbb927ada1f21e78a3e8f4d3694db02b97f6d249b806
Opcode Fuzzy Hash: 0f4186d1d3f6266fb12e1408fe39671451b5a942d61e7ebd1e5e081bd4bf5114
Instruction Fuzzy Hash: 8D41E532A010279AFF106F7DDA905BE7FB5FBA0794B244229E421D7284E735ED81C790

Function 005A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005A5416
GetLastError.KERNEL32 ref: 005A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 005A54A7

Strings

READONLY, xrefs: 005A5452
READY, xrefs: 005A5460, 005A5468
INVALID, xrefs: 005A5459
UNKNOWN, xrefs: 005A5444
NOTREADY, xrefs: 005A544B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c5d4afb09810c1a1f09071950e038193aa8df24fd4e5dbe1d6de6e711dfa1b51
Instruction ID: 5988ec489ba2ce3c3780ad89841bdcf8576fdf8e7ca9196a514fce81f35f93fe
Opcode Fuzzy Hash: c5d4afb09810c1a1f09071950e038193aa8df24fd4e5dbe1d6de6e711dfa1b51
Instruction Fuzzy Hash: A631AE75A006099FCB10DF68C488EAEBFB4FF5A305F188065E505DB292E774DD86CB90

Function 005C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005C3C79
SetMenu.USER32(?,00000000), ref: 005C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C3D10
IsMenu.USER32(?), ref: 005C3D24
CreatePopupMenu.USER32 ref: 005C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C3D5B
DrawMenuBar.USER32 ref: 005C3D63

Strings

F, xrefs: 005C3D4E
0, xrefs: 005C3C54

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: adb2228a14607002d534ef09aa8a3dcd7cbb81927eb8d893766c79b2d234050b
Instruction ID: d518c2a9dafff6f429f9a39234265b40aa0c08eaaf15e2033d9839958a2c0bca
Opcode Fuzzy Hash: adb2228a14607002d534ef09aa8a3dcd7cbb81927eb8d893766c79b2d234050b
Instruction Fuzzy Hash: F3416875A01609AFDB14CFA4D894FAA7FB5FF4A350F14402DF94AA7360D730AA14DB90

Function 005C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005C3C13

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: fd1dc4228d37af214a286393aa884e3d8576df67b55cc1a06bacf3c2735ffea3
Instruction ID: 333c9504dc6ae172b5bbeb15a5764d4a51351f3c83467ae0023e0345fb00076e
Opcode Fuzzy Hash: fd1dc4228d37af214a286393aa884e3d8576df67b55cc1a06bacf3c2735ffea3
Instruction Fuzzy Hash: E0616775A00208AFDB10DFA8CC81EEE7BB8FF49704F104199FA15AB2A1C774AE45DB50

Function 0059B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0059B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B165
GetWindowThreadProcessId.USER32(00000000), ref: 0059B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0059B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0059A1E1,?,00000001), ref: 0059B21D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7ab7b44de8b510fc1ac6056a3db30bc1a367fe83f93739588f9ea9e9740d9a7b
Instruction ID: 94e55fb4096108f87593a9c08482e5aa59688ac132ca5008701f52592c425d0a
Opcode Fuzzy Hash: 7ab7b44de8b510fc1ac6056a3db30bc1a367fe83f93739588f9ea9e9740d9a7b
Instruction Fuzzy Hash: 8E318979540614AFFF109F28EE48F6E7FAEFB61312F105009FA06D6290D7B4AA459F60

Function 00562C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00562C94

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 00562CA0
_free.LIBCMT ref: 00562CAB
_free.LIBCMT ref: 00562CB6
_free.LIBCMT ref: 00562CC1
_free.LIBCMT ref: 00562CCC
_free.LIBCMT ref: 00562CD7
_free.LIBCMT ref: 00562CE2
_free.LIBCMT ref: 00562CED
_free.LIBCMT ref: 00562CFB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3bc42bd911245bd28516d130c7862ea996efc7b9bd5818303baf74d9c509329b
Instruction ID: 9ba79bd06b68d3e70a6fc41a34493952d0ec961bccf6b70020eff9e298c91d6b
Opcode Fuzzy Hash: 3bc42bd911245bd28516d130c7862ea996efc7b9bd5818303baf74d9c509329b
Instruction Fuzzy Hash: 42119376600509BFCB06EF54D886CDD3FA5FF85390F4145A5FA489B232DA31EE909B90

Function 00531410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00531459
OleUninitialize.OLE32(?,00000000), ref: 005314F8
UnregisterHotKey.USER32(?), ref: 005316DD
DestroyWindow.USER32(?), ref: 005724B9
FreeLibrary.KERNEL32(?), ref: 0057251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0057254B

Strings

close all, xrefs: 00531454

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ff5b79a39e027ce34d48b03d4b3b8955a833ee73d34344c3a549f031396c01ef
Instruction ID: 2d810e5f9d0e41fc47d51fff1f43fd6b9b3fe1a616c43b2db34f3f7312d518fd
Opcode Fuzzy Hash: ff5b79a39e027ce34d48b03d4b3b8955a833ee73d34344c3a549f031396c01ef
Instruction Fuzzy Hash: 6BD17B31701612CFCB29EF64D499A69FFA4BF45704F1482ADE44EAB252CB30AD22DF54

Function 005A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005A7FC1
GetFileAttributesW.KERNEL32(?), ref: 005A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 005A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005A80B0

Strings

*.*, xrefs: 005A8066

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8324abe4da682978eef740aac56ee95bda8abca1fff899c4dd34232e47e2f540
Instruction ID: 39d3e2b5bfe69c37f74891f46456726082e54e8763459eee7ad6f6386e019293
Opcode Fuzzy Hash: 8324abe4da682978eef740aac56ee95bda8abca1fff899c4dd34232e47e2f540
Instruction Fuzzy Hash: E68190725082499BCB24EF24C8589BEBBE8BF8A310F144C5EF885D7251EB35DD49CB52

Function 00535BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00535C7A

Part of subcall function 00535D0A: GetClientRect.USER32(?,?), ref: 00535D30
Part of subcall function 00535D0A: GetWindowRect.USER32(?,?), ref: 00535D71
Part of subcall function 00535D0A: ScreenToClient.USER32(?,?), ref: 00535D99

GetDC.USER32 ref: 005746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00574708
SelectObject.GDI32(00000000,00000000), ref: 00574716
SelectObject.GDI32(00000000,00000000), ref: 0057472B
ReleaseDC.USER32(?,00000000), ref: 00574733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005747C4

Strings

U, xrefs: 00574693

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9684a28637ce36e7c2c563eb860164837a302f4208ebc03299350ac4afc4381a
Instruction ID: ed0fe032dbf50fd09587c3462dd9dafaefef4dc0addbe93f715d39c6fee13667
Opcode Fuzzy Hash: 9684a28637ce36e7c2c563eb860164837a302f4208ebc03299350ac4afc4381a
Instruction Fuzzy Hash: E171F130400209DFCF268F64D984EBA3FB5FF4A314F149269ED595A166D3309C82EF50

Function 005A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005A35E4

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

LoadStringW.USER32(00602390,?,00000FFF,?), ref: 005A360A

Strings

Line %d (File "%s"):, xrefs: 005A366B
"%s" (%d) : ==> %s:%s%s, xrefs: 005A3724
"%s" (%d) : ==> %s:, xrefs: 005A3742
^ ERROR, xrefs: 005A36C9
Error: , xrefs: 005A36EF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d30eaaef56fe2e815f16136289995cf9c0dc4d4d75b394f106a83735079296bf
Instruction ID: 901b1f0657ffb5f377237798383e3f16e0b5a3e5ed4436ccb6f61762875d1f1c
Opcode Fuzzy Hash: d30eaaef56fe2e815f16136289995cf9c0dc4d4d75b394f106a83735079296bf
Instruction Fuzzy Hash: BB515EB184020ABACF15EBA0DC4AEEEBF79FF85304F145125F105721A1EB711B99DB60

Function 005AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005AC2CA
GetLastError.KERNEL32 ref: 005AC322
SetEvent.KERNEL32(?), ref: 005AC336
InternetCloseHandle.WININET(00000000), ref: 005AC341

Strings

, xrefs: 005AC2BB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a9ae66ee3b88e0488869fbf73625edc60ec3bfcf3a62c7227a337d76d0c097fe
Instruction ID: c576f20227f0b7c98ba2d957398de95c1aef9a77c78310ffa1601c8416b7d3dc
Opcode Fuzzy Hash: a9ae66ee3b88e0488869fbf73625edc60ec3bfcf3a62c7227a337d76d0c097fe
Instruction Fuzzy Hash: 87314DB5500604AFDB219F649888AAF7FFCFB5A744F14891EF48A92201DB34DD099B61

Function 0059989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00573AAF,?,?,Bad directive syntax error,005CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005998BC
LoadStringW.USER32(00000000,?,00573AAF,?), ref: 005998C3

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00599987

Strings

Line %d (File "%s"):, xrefs: 0059992D
Line %d:, xrefs: 00599912
., xrefs: 0059996D
%s (%d) : ==> %s.: %s %s, xrefs: 005998F1
Error: , xrefs: 00599955

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a1283cbbd18e78c94d5f354cafc4c8836f80ea826fcb95d4c62f9f3fbaeedbba
Instruction ID: 86f6db2206d2cc067a453ee2ace0d5bfe3206d59a81945836aeaabc879cd98c5
Opcode Fuzzy Hash: a1283cbbd18e78c94d5f354cafc4c8836f80ea826fcb95d4c62f9f3fbaeedbba
Instruction Fuzzy Hash: 81218D3184021EABCF15AF90CC4AEEE7F79FF58300F044829F619660A2EB759A18DB10

Function 0059209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0059214D

Strings

list, xrefs: 0059212F
smallicons, xrefs: 00592115
details, xrefs: 005920FB
SHELLDLL_DefView, xrefs: 005920CC
largeicons, xrefs: 005920E1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7bd1fd606246b51cbc2037b12aca8367099be6143fd3db623f25f1e53228d79c
Instruction ID: f26b21773f194c74e8bf48337ba3bd81555f1d161311f186f6dcc1daa1a0371b
Opcode Fuzzy Hash: 7bd1fd606246b51cbc2037b12aca8367099be6143fd3db623f25f1e53228d79c
Instruction Fuzzy Hash: F311297A68870BBAFE016224DC1BDF63F9DFB14329F20001BFB05A50D1FE656895BA14

Function 0056CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0056CEB7
_free.LIBCMT ref: 0056CF22
_free.LIBCMT ref: 0056CF48
_free.LIBCMT ref: 0056CF71
_free.LIBCMT ref: 0056CFA9
_free.LIBCMT ref: 0056CFDA
_free.LIBCMT ref: 0056D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0056D09C
_free.LIBCMT ref: 0056D0B5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e4e75aa2ac8f1d320bab4d748ea6a3d635a4dc4b221fa8a70621b744cba5630a
Instruction ID: 99d3beb5b320415ad90db124b4804a1f122aca58f5f930d4be0d00bafd5652f7
Opcode Fuzzy Hash: e4e75aa2ac8f1d320bab4d748ea6a3d635a4dc4b221fa8a70621b744cba5630a
Instruction Fuzzy Hash: EA616A71A04302AFDB25AFB49C89B7ABFA6FF45360F04456DF98597281E6329D01C7A0

Function 00548B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00586890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00548874,00000000,00000000,00000000,000000FF,00000000), ref: 00586901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0058691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00548874,00000000,00000000,00000000,000000FF,00000000), ref: 0058692D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2c30de1a78557ca6247d3ed48aae219adc8a770ac7c130e169e5fe7d8eba2007
Instruction ID: 583eb1c8b70c746899e65b9311e37dd20e16d5c1c046930c4719c29a6172381c
Opcode Fuzzy Hash: 2c30de1a78557ca6247d3ed48aae219adc8a770ac7c130e169e5fe7d8eba2007
Instruction Fuzzy Hash: 80516770A00609EFDB20DF24CC95FAA7FB6FB98754F104518F956AB2A0DB70E990DB50

Function 005AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005AC182
GetLastError.KERNEL32 ref: 005AC195
SetEvent.KERNEL32(?), ref: 005AC1A9

Part of subcall function 005AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005AC272
Part of subcall function 005AC253: GetLastError.KERNEL32 ref: 005AC322
Part of subcall function 005AC253: SetEvent.KERNEL32(?), ref: 005AC336
Part of subcall function 005AC253: InternetCloseHandle.WININET(00000000), ref: 005AC341

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4695315e1b4214df103c21acd41f5efda61f8588191401eb4b29ba287664ac78
Instruction ID: 56241146ad334849b2fcdfadceb7245435adcaf94b99203f8210c6edc570f414
Opcode Fuzzy Hash: 4695315e1b4214df103c21acd41f5efda61f8588191401eb4b29ba287664ac78
Instruction Fuzzy Hash: 03319075200B05AFDB219FA5DD48A6ABFF9FF6A300B04441DF99A86610D731E814EFA0

Function 005925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00592601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00592605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0059260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00592623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00592627

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3c9bfb68d2c7f358da2e2cce6a493abef706e9c144b4586dc2e7faee5022f1bf
Instruction ID: 02f1206f07d3da964443518b4be19c96660ab213e78fda96bc03e7752c020cf3
Opcode Fuzzy Hash: 3c9bfb68d2c7f358da2e2cce6a493abef706e9c144b4586dc2e7faee5022f1bf
Instruction Fuzzy Hash: 6E01D430790610BBFB106769DC8EF593F69EB9EB12F110001F318AE1D1C9E22448DAA9

Function 00591803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00591449,?,?,00000000), ref: 0059180C
HeapAlloc.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 00591813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591449,?,?,00000000), ref: 00591828
GetCurrentProcess.KERNEL32(?,00000000,?,00591449,?,?,00000000), ref: 00591830
DuplicateHandle.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 00591833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591449,?,?,00000000), ref: 00591843
GetCurrentProcess.KERNEL32(00591449,00000000,?,00591449,?,?,00000000), ref: 0059184B
DuplicateHandle.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 0059184E
CreateThread.KERNEL32(00000000,00000000,00591874,00000000,00000000,00000000), ref: 00591868

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2d83cb45779c2ed3a87820a7eb5e9129b09c99a87a1833578ddca877d582935d
Instruction ID: 86326e5387e297135412f7a26d5c3d97f28c758b12ba0abfaddc646c415c03eb
Opcode Fuzzy Hash: 2d83cb45779c2ed3a87820a7eb5e9129b09c99a87a1833578ddca877d582935d
Instruction Fuzzy Hash: A401BBB5240748BFE710ABA6DC4DF6B3FACEB99B11F044411FA09DB1A1CA749804DB20

Function 005BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0059D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0059D501
Part of subcall function 0059D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0059D50F
Part of subcall function 0059D4DC: CloseHandle.KERNEL32(00000000), ref: 0059D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BA16D
GetLastError.KERNEL32 ref: 005BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 005BA268
GetLastError.KERNEL32(00000000), ref: 005BA273
CloseHandle.KERNEL32(00000000), ref: 005BA2C4

Strings

SeDebugPrivilege, xrefs: 005BA18F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 148de97c05cfc2278d8b07fcafd6dde4e7649a3cdaf5d12988ae4ce22d599cda
Instruction ID: eb34abc725bce092e63304681fd521eb37045b71468cbaafe44e9b68a6f3b906
Opcode Fuzzy Hash: 148de97c05cfc2278d8b07fcafd6dde4e7649a3cdaf5d12988ae4ce22d599cda
Instruction Fuzzy Hash: 70617D34204642AFD710DF19C498F55BFA1BF94318F18849CE4564BBA2C772EC49CB92

Function 005C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005C3954
_wcslen.LIBCMT ref: 005C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005C39F4

Strings

SysListView32, xrefs: 005C38F7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 298ce30edf814bb0708c3b545daaebd9da0cfdbb7840c17941a3a76094c2dcf5
Instruction ID: 283327e0fa1bf89ceca79109924c84f4853b9c65a7cd9c75aa9abf65e8eb3104
Opcode Fuzzy Hash: 298ce30edf814bb0708c3b545daaebd9da0cfdbb7840c17941a3a76094c2dcf5
Instruction Fuzzy Hash: 8B41B231A0021DAFDB219FA4CC49FEA7FA9FF48350F10452AF958E7281D7759A84CB90

Function 0059BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059BCFD
IsMenu.USER32(00000000), ref: 0059BD1D
CreatePopupMenu.USER32 ref: 0059BD53
GetMenuItemCount.USER32(010F5618), ref: 0059BDA4
InsertMenuItemW.USER32(010F5618,?,00000001,00000030), ref: 0059BDCC

Strings

2, xrefs: 0059BD37
0, xrefs: 0059BCA8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: aa7b1586d52c27663997457358085b241176be843f15748b73408b9eed815ed8
Instruction ID: fd7f49a52baa116a48ba9e93b1c51c406050ab5311f18dacff39d33f3d78a3ca
Opcode Fuzzy Hash: aa7b1586d52c27663997457358085b241176be843f15748b73408b9eed815ed8
Instruction Fuzzy Hash: 0251BE70A0030A9BFF20CFA8EA88BAEBFF8BF95314F144559E405E7290D7709945CB61

Function 00552D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00552D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00552D53
_ValidateLocalCookies.LIBCMT ref: 00552DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00552E0C
_ValidateLocalCookies.LIBCMT ref: 00552E61

Strings

&HU, xrefs: 00552DFE, 00552E07, 00552E18
csm, xrefs: 00552DF6

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HU$csm
API String ID: 1170836740-1876588605
Opcode ID: 2e69164f73a246e196471141d3e3e0ac4c985b2223f128718f5645e5ef72cac0
Instruction ID: ae0c54f988806b349cce5d11d8478a1a9b4d4ab5fe7b1a305ad962a832d03862
Opcode Fuzzy Hash: 2e69164f73a246e196471141d3e3e0ac4c985b2223f128718f5645e5ef72cac0
Instruction Fuzzy Hash: AB419834A01209ABCF14DF68C869A9EBFB5BF46355F148157EC186B352D731AE0ACBD0

Function 0059C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0059C913

Strings

warning, xrefs: 0059C8FC
question, xrefs: 0059C8CC
blank, xrefs: 0059C895
stop, xrefs: 0059C8E4
info, xrefs: 0059C8B4

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 27da4acfa2e99ed8114f098ade9ea0ba0747cd131103a92d88f5f1f4f04102fc
Instruction ID: 50edd027cee30b2c031a03bb56cc889e678ba1a8b9347f1c3c491536a8fc0bc5
Opcode Fuzzy Hash: 27da4acfa2e99ed8114f098ade9ea0ba0747cd131103a92d88f5f1f4f04102fc
Instruction Fuzzy Hash: 2811EB3168970BBFAF056B54DC82CAA7F9CFF15759B20042BF904A6182D7646D405764

Function 0059ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0059ED2A
_wcslen.LIBCMT ref: 0059ED3B
_wcslen.LIBCMT ref: 0059ED79
_wcslen.LIBCMT ref: 0059EDAF
_wcslen.LIBCMT ref: 0059EDDF
_wcslen.LIBCMT ref: 0059EDEF
_wcslen.LIBCMT ref: 0059EE2B
_wcslen.LIBCMT ref: 0059EE5A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3e3b183f9592013fc74a3a544cb76921bec591b0813d21128e2e8bf46b5f3e13
Instruction ID: 5bd57fb207335634cbd382e3ce7f0af4c71ce3589b8abd32688e1b64209b24be
Opcode Fuzzy Hash: 3e3b183f9592013fc74a3a544cb76921bec591b0813d21128e2e8bf46b5f3e13
Instruction Fuzzy Hash: E641926AC1021965CB11EBB4888F9CFBBBCBF85311F508467E914E3122EB34D249C7A5

Function 0054F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0054F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0058F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0058F454

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4c59e49fd565b0bc4aeb50c99ac3cd8560b0a18a9583f467cfe52de80e86626b
Instruction ID: 3412a467e16c275d8900986fc33d946f859ae3204e13cb62cc05688cf3dcc9e0
Opcode Fuzzy Hash: 4c59e49fd565b0bc4aeb50c99ac3cd8560b0a18a9583f467cfe52de80e86626b
Instruction Fuzzy Hash: A1410B31608640BED7399F2DD988BAB7FD2BF9A318F14483DE48B67560D731A880D711

Function 005C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005C2D1B
GetDC.USER32(00000000), ref: 005C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005C2DE1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 029abd8c993cec23e5ec31c6cb2c2d2c3eb0f6ece8287b922db3daf0c0714017
Instruction ID: f99143e817fd859f11772767282d3f496d7f4e065983551ada65fb1ffb6d057a
Opcode Fuzzy Hash: 029abd8c993cec23e5ec31c6cb2c2d2c3eb0f6ece8287b922db3daf0c0714017
Instruction Fuzzy Hash: ED318B72201614BFEB118F548C8AFEB3FA9FB19711F084055FE099A291C6759C41CBA0

Function 00595622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00595637
_memcmp.LIBVCRUNTIME ref: 00595659
_memcmp.LIBVCRUNTIME ref: 00595671
_memcmp.LIBVCRUNTIME ref: 00595684
_memcmp.LIBVCRUNTIME ref: 0059569E
_memcmp.LIBVCRUNTIME ref: 005956B1
_memcmp.LIBVCRUNTIME ref: 005956C9
_memcmp.LIBVCRUNTIME ref: 005956E4

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 613a9b5c39761da3356457dcf6dfed67dce5de59bdc8ddf2d594c556b7c03b8e
Instruction ID: 57964b20773d7cf7381492ebfe5872dd2c1ef7aafd7583f1132b3648b28662b6
Opcode Fuzzy Hash: 613a9b5c39761da3356457dcf6dfed67dce5de59bdc8ddf2d594c556b7c03b8e
Instruction Fuzzy Hash: 77214961740E0A7BDA065E20DEA2FFA3F5DBF60385F000425FD069A581F720EE3483A8

Function 005B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005B502E, 005B5383
Not an Object type, xrefs: 005B5007

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5ec6969436c996ec9fd7bb48ca45fc1145391b8741f189420a52962b41182933
Instruction ID: dd36d497420baee71869b99ac22db02642cf1f626388f6c4a84b311c88990fff
Opcode Fuzzy Hash: 5ec6969436c996ec9fd7bb48ca45fc1145391b8741f189420a52962b41182933
Instruction Fuzzy Hash: AED1C171A0060A9FDF18DFA8C885FEEBBB5BF48344F148469E915AB281E770ED45CB50

Function 00571522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00571651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005717FB,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005716FB

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00571777
__freea.LIBCMT ref: 005717A2
__freea.LIBCMT ref: 005717AE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: de88c4648d232f75ca2ee1ce596337444402e30bd930d6a68e8e33073b16ea60
Instruction ID: 538d18a5d96710c73651271e72c3c8cbaf0135395151da80b3b307134bc28abb
Opcode Fuzzy Hash: de88c4648d232f75ca2ee1ce596337444402e30bd930d6a68e8e33073b16ea60
Instruction Fuzzy Hash: 4991D471E00A069EDB288E78E885AEE7FB5FF45710F188519E80AE7141D725DC44EBA4

Function 005B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B4648
VariantInit.OLEAUT32(?), ref: 005B4749
VariantClear.OLEAUT32(?), ref: 005B4753
VariantClear.OLEAUT32(?), ref: 005B47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 005B472C
Null Object assignment in FOR..IN loop, xrefs: 005B45D8, 005B4706, 005B47BE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b1708951aa014f50ed05673cdf7a708dbff8a5975a042d4bf5466bbc12b7e686
Instruction ID: ef754b131ef9e8cd631c2ccb7f4892562793a5fe088552e472ec319210d598e4
Opcode Fuzzy Hash: b1708951aa014f50ed05673cdf7a708dbff8a5975a042d4bf5466bbc12b7e686
Instruction Fuzzy Hash: 1E916F71A00219ABDF24CFA5C848FEE7FB8FF46715F108559E505AB282D770A945CFA0

Function 005A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A1430

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6d189e549235b460d5f1c98130e8ed6dc9511bcf71a62553246f3c37f08ddfc2
Instruction ID: af35e07517434ed1f5720602342add3ede390eff79d644d56baf7be1ed6eb37b
Opcode Fuzzy Hash: 6d189e549235b460d5f1c98130e8ed6dc9511bcf71a62553246f3c37f08ddfc2
Instruction Fuzzy Hash: 69911475A00609AFDB00DF98C889BBEBFB5FF86315F104429E941EB291D774E941CB98

Function 0054948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7c46f4ec269c9d1dd9b44a9c214597e4081fd19c863140c9c5bcc220065bc649
Instruction ID: 306e19ccc55d76bb1d58a11d48f896581c1eadfacd9d24e058983ef78076bada
Opcode Fuzzy Hash: 7c46f4ec269c9d1dd9b44a9c214597e4081fd19c863140c9c5bcc220065bc649
Instruction Fuzzy Hash: 47912571D00219AFCB10CFA9C889AEEBFB8FF89324F244459E915B7251D774A941DB60

Function 005B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B396B
CharUpperBuffW.USER32(?,?), ref: 005B3A7A
_wcslen.LIBCMT ref: 005B3A8A
VariantClear.OLEAUT32(?), ref: 005B3C1F

Part of subcall function 005A0CDF: VariantInit.OLEAUT32(00000000), ref: 005A0D1F
Part of subcall function 005A0CDF: VariantCopy.OLEAUT32(?,?), ref: 005A0D28
Part of subcall function 005A0CDF: VariantClear.OLEAUT32(?), ref: 005A0D34

Strings

AUTOIT.ERROR, xrefs: 005B3A80, 005B3A85
Incorrect Parameter format, xrefs: 005B39A6, 005B3BA1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9329f16b9cb38d4301fe4ee1a2aadc2b4d370158ac21f1c16b819044605ff5fd
Instruction ID: 85ed66bc567ed492836ba4a08ae9db5c7241a0e01481b4d76049c1248730fae5
Opcode Fuzzy Hash: 9329f16b9cb38d4301fe4ee1a2aadc2b4d370158ac21f1c16b819044605ff5fd
Instruction Fuzzy Hash: F89147756083069FCB14DF28C4859AABBE4FF89314F14882DF889A7351DB30EE45CB92

Function 005B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0059000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?,?,0059035E), ref: 0059002B
Part of subcall function 0059000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590046
Part of subcall function 0059000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590054
Part of subcall function 0059000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?), ref: 00590064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005B4C51
_wcslen.LIBCMT ref: 005B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005B4DCF
CoTaskMemFree.OLE32(?), ref: 005B4DDA

Strings

NULL Pointer assignment, xrefs: 005B4E23, 005B4E52

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 36eaaac952c9443b20fe3b0652cf0db1700f47080895ec9e613d0ee03dca5b7f
Instruction ID: 19fafcb79f465fd277ead3322b7ed098dc1abb5a862e0a34aa1dfb5ef0485dc8
Opcode Fuzzy Hash: 36eaaac952c9443b20fe3b0652cf0db1700f47080895ec9e613d0ee03dca5b7f
Instruction Fuzzy Hash: 61912771D0021DAFDF24DFA4C895AEEBBB8BF48310F108569E915A7251DB70AE44CFA0

Function 005C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005C2183
GetMenuItemCount.USER32(00000000), ref: 005C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005C21DD
_wcslen.LIBCMT ref: 005C2213
GetMenuItemID.USER32(?,?), ref: 005C224D
GetSubMenu.USER32(?,?), ref: 005C225B

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005C22E3

Part of subcall function 0059E97B: Sleep.KERNEL32 ref: 0059E9F3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: d2ab9e7ea7047f2b84dde85c26f92ceeed670e7b9f4b7b734214dd277acd4ffe
Instruction ID: fc08ea5ce1c8bf82b2f3408473bc4a1d3e9b18eba9cb646ef7062ca2f02071ee
Opcode Fuzzy Hash: d2ab9e7ea7047f2b84dde85c26f92ceeed670e7b9f4b7b734214dd277acd4ffe
Instruction Fuzzy Hash: C9714C79A00215AFCB14EFA8C885EAEBFB5FF88310F148459E916EB351D734AD41CB90

Function 0059AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0059AEF9
GetKeyboardState.USER32(?), ref: 0059AF0E
SetKeyboardState.USER32(?), ref: 0059AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0059AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0059AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0059AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0059B020

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3f087989b849bdaca315e26eea5b5067677bade053ab2e3c53d8893eabbb103b
Instruction ID: 1c4b5378550d577009005a2bebf3c0b64c82fb8abe2517230542af80a365d616
Opcode Fuzzy Hash: 3f087989b849bdaca315e26eea5b5067677bade053ab2e3c53d8893eabbb103b
Instruction Fuzzy Hash: A151A3A4A047D53DFF3683348D49BBA7EA97B06304F088589E1D9558C3D3D9ACC8D7A1

Function 0059ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0059AD19
GetKeyboardState.USER32(?), ref: 0059AD2E
SetKeyboardState.USER32(?), ref: 0059AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0059ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0059ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0059AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0059AE38

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 046ce149928fd2396f76867d55bf7f96b38ab4f6098bc68824e31a4793ec4638
Instruction ID: 8392b14b2e206ba857bd547ccb81ceac2e85928333a3bdc945099269fdcc00fb
Opcode Fuzzy Hash: 046ce149928fd2396f76867d55bf7f96b38ab4f6098bc68824e31a4793ec4638
Instruction Fuzzy Hash: 995193A19047D53DFF3683248C55B7A7EADBB46300F088589E1D9568C2D794EC88E7B2

Function 0056542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00573CD6,?,?,?,?,?,?,?,?,00565BA3,?,?,00573CD6,?,?), ref: 00565470
__fassign.LIBCMT ref: 005654EB
__fassign.LIBCMT ref: 00565506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00573CD6,00000005,00000000,00000000), ref: 0056552C
WriteFile.KERNEL32(?,00573CD6,00000000,00565BA3,00000000,?,?,?,?,?,?,?,?,?,00565BA3,?), ref: 0056554B
WriteFile.KERNEL32(?,?,00000001,00565BA3,00000000,?,?,?,?,?,?,?,?,?,00565BA3,?), ref: 00565584

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a726d4c5b20352eb4e359e706137dbd8704f218a1ac39a4d73d2b60de7f85305
Instruction ID: f8b91d0e290a43eeaf55d10d57f37bc52c5eed61af6d6021fd92f26fe32b1752
Opcode Fuzzy Hash: a726d4c5b20352eb4e359e706137dbd8704f218a1ac39a4d73d2b60de7f85305
Instruction Fuzzy Hash: FA51B0B0A406499FDB10CFA8D849AEEBFF9FF19300F14455AF956E7291E6309A41CB60

Function 005B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
Part of subcall function 005B304E: _wcslen.LIBCMT ref: 005B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005B1112
WSAGetLastError.WSOCK32 ref: 005B1121
WSAGetLastError.WSOCK32 ref: 005B11C9
closesocket.WSOCK32(00000000), ref: 005B11F9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f53eacd9201edacae481d5930932e118927fa2b4c99e283e2d6bf59f6031a6b9
Instruction ID: f970bbe3ac1adc5a73f1e2b9e655a6c3a2d79caec036e3ccb1c0ff379817800a
Opcode Fuzzy Hash: f53eacd9201edacae481d5930932e118927fa2b4c99e283e2d6bf59f6031a6b9
Instruction Fuzzy Hash: 1B41F731600904AFDB109F18C898BEABFE9FF85314F148059F9099B291C770BD45CBA4

Function 0059CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0059CF22,?), ref: 0059DDFD

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0059CF22,?), ref: 0059DE16

lstrcmpiW.KERNEL32(?,?), ref: 0059CF45
MoveFileW.KERNEL32(?,?), ref: 0059CF7F
_wcslen.LIBCMT ref: 0059D005
_wcslen.LIBCMT ref: 0059D01B
SHFileOperationW.SHELL32(?), ref: 0059D061

Strings

\*.*, xrefs: 0059CFF3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9deaf0c172044e195aca8ef26d050ea4d7d37b09c3e35a3a0faf19bbaac15958
Instruction ID: 4e6a830924ee0a4200be444c92469827e9c06c6f32a0135172e3a3ff0c9b52b3
Opcode Fuzzy Hash: 9deaf0c172044e195aca8ef26d050ea4d7d37b09c3e35a3a0faf19bbaac15958
Instruction Fuzzy Hash: 9A4146719452195FDF12EBA4D985EDDBFB9BF48380F1000E6E509EB141EA34A688CB50

Function 005C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 005C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 005C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 005C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C2F0B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 44d06a35d0c0a0e6f000ebee50d0173f07832e01493d3d0dbc03e67cd4b04d95
Instruction ID: 34a9c1e100a5e84088124b8dc2f6d93ad4a8c1f57b7adf87e5cddd24875164c7
Opcode Fuzzy Hash: 44d06a35d0c0a0e6f000ebee50d0173f07832e01493d3d0dbc03e67cd4b04d95
Instruction Fuzzy Hash: 75311530644254AFDB21DF98DD84FA53BE9FB9A710F151168F904AF2B1CB71AC84DB41

Function 00597726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0059778F
SysAllocString.OLEAUT32(00000000), ref: 00597792
SysAllocString.OLEAUT32(?), ref: 005977B0
SysFreeString.OLEAUT32(?), ref: 005977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005977DE
SysAllocString.OLEAUT32(?), ref: 005977EC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1df40e2808104f1de0436d677c49e70d27923f45e7178934dcfea788f0055433
Instruction ID: abc62dad36db5ba786f1210ad426057b66280912930d2a111d5e53bbe9eb28c3
Opcode Fuzzy Hash: 1df40e2808104f1de0436d677c49e70d27923f45e7178934dcfea788f0055433
Instruction Fuzzy Hash: 0021907661421DAFDF10DFA9CC88CBB7BACFB097647048426FA19DB260D670DC468760

Function 005977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597868
SysAllocString.OLEAUT32(00000000), ref: 0059786B
SysAllocString.OLEAUT32 ref: 0059788C
SysFreeString.OLEAUT32 ref: 00597895
StringFromGUID2.OLE32(?,?,00000028), ref: 005978AF
SysAllocString.OLEAUT32(?), ref: 005978BD

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 612ad3374a8c2c77ac6f79d70f2b5650b6598a0a72ddfa83dc490f289760a6ff
Instruction ID: 5677f257cceaa21f9b79b30788b5994e0e3c2fd74c48febb0cfc07f556c5d3ed
Opcode Fuzzy Hash: 612ad3374a8c2c77ac6f79d70f2b5650b6598a0a72ddfa83dc490f289760a6ff
Instruction Fuzzy Hash: 0C217131618208AFDF109FA8DC8CDAA7BECFB0D7607148126F915CB2A1D670DC45DB64

Function 005A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A052E

Strings

nul, xrefs: 005A0567

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4113859b4cbf0ec8d830fa1510dee648a188e7a459b6717724fc10375d7428f5
Instruction ID: ef3694c9653df360167717b1edd37176199441b4123ea8a9a210d6e0517753f6
Opcode Fuzzy Hash: 4113859b4cbf0ec8d830fa1510dee648a188e7a459b6717724fc10375d7428f5
Instruction Fuzzy Hash: 71219A74910305AFCF208F29DC48AAE7FF4BF5A760F204A19E8A1D22E0E7709940CF20

Function 005A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A0601

Strings

nul, xrefs: 005A0639

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 081cf0d66cb75bb82ea47e29c75146db4853d3c00a5923e7192e578ecfa149d4
Instruction ID: 37dbc36e90dbd77e80a23b671892f295f46763d195c734c802e1775e23d25685
Opcode Fuzzy Hash: 081cf0d66cb75bb82ea47e29c75146db4853d3c00a5923e7192e578ecfa149d4
Instruction Fuzzy Hash: 572151755103059FDB209F699C04EAE7FE4BF96724F201A19F9A1E72E0E7709960CB20

Function 005C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
Part of subcall function 0053600E: GetStockObject.GDI32(00000011), ref: 00536060
Part of subcall function 0053600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005C4145

Strings

Msctls_Progress32, xrefs: 005C40E3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f03912ad76be1925a1a0476145c56b05abb0d6acb8904e0c77d001792d67c8bb
Instruction ID: 4d7fa520a7c65c8906b6643016b21771263e2a5e5ba901790e171a9c78e6499e
Opcode Fuzzy Hash: f03912ad76be1925a1a0476145c56b05abb0d6acb8904e0c77d001792d67c8bb
Instruction Fuzzy Hash: 651190B214021EBEEF118EA4CC86EE77F9DFF08798F004111FB18A6050C6729C61DBA4

Function 0056D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0056D7A3: _free.LIBCMT ref: 0056D7CC

_free.LIBCMT ref: 0056D82D

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056D838
_free.LIBCMT ref: 0056D843
_free.LIBCMT ref: 0056D897
_free.LIBCMT ref: 0056D8A2
_free.LIBCMT ref: 0056D8AD
_free.LIBCMT ref: 0056D8B8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 938e3e411e477f433ad6da2642bd2b08e02ec641c1848f6ffb3cd9df275ddb83
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: A3114C71A40B05AAD621BFB0CC4FFCB7FECBF80700F440C25B29DA7092DA69B5458661

Function 0059DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0059DA74
LoadStringW.USER32(00000000), ref: 0059DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0059DA91
LoadStringW.USER32(00000000), ref: 0059DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0059DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0059DAB9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 13bc33d7716b99ef5ba60cc1be472c8389a7352bc383ca23857255583bad9e9d
Instruction ID: 9c6750ab582e47643b6fa6d8b6b4cda8d125fab980e5b5efc5dfee716d049b72
Opcode Fuzzy Hash: 13bc33d7716b99ef5ba60cc1be472c8389a7352bc383ca23857255583bad9e9d
Instruction Fuzzy Hash: BE0186F25002087FEB10ABA49D89EFB3B6CE708301F400495F74AE2041EA749E889F74

Function 005A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010EE0B0,010EE0B0), ref: 005A097B
EnterCriticalSection.KERNEL32(010EE090,00000000), ref: 005A098D
TerminateThread.KERNEL32(?,000001F6), ref: 005A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005A09A9
CloseHandle.KERNEL32(?), ref: 005A09B8
InterlockedExchange.KERNEL32(010EE0B0,000001F6), ref: 005A09C8
LeaveCriticalSection.KERNEL32(010EE090), ref: 005A09CF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c85ef5297fbbeb439ae5e2d979861de1993fc1f6ddca57390edba648b82c3d6f
Instruction ID: 7af48cf678638b2ffe6df7ca24175171a16a6673181874fd71db71c92c7973f9
Opcode Fuzzy Hash: c85ef5297fbbeb439ae5e2d979861de1993fc1f6ddca57390edba648b82c3d6f
Instruction Fuzzy Hash: DFF01932442A02AFD7415BA4EE88EEABE39FF11702F402025F206918A0C774946ADFA0

Function 005B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005B1DE1
WSAGetLastError.WSOCK32 ref: 005B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 005B1EDB
inet_ntoa.WSOCK32(?), ref: 005B1E8C

Part of subcall function 005939E8: _strlen.LIBCMT ref: 005939F2

Part of subcall function 005B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005AEC0C), ref: 005B3240

_strlen.LIBCMT ref: 005B1F35

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6a0d9d1cf50d516a379bb41eda1ac60be89202593255e39243abf80536d619a5
Instruction ID: 30586435d3a2d7b9bcf62badb001e6bc022a2c12e3f744898dfabf4c3c6edc56
Opcode Fuzzy Hash: 6a0d9d1cf50d516a379bb41eda1ac60be89202593255e39243abf80536d619a5
Instruction Fuzzy Hash: 5AB1CD30204741AFC324DF24C899EAA7FA5BFC4318FA4894CF5565B2A2DB31ED46CB91

Function 00535D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00535D30
GetWindowRect.USER32(?,?), ref: 00535D71
ScreenToClient.USER32(?,?), ref: 00535D99
GetClientRect.USER32(?,?), ref: 00535ED7
GetWindowRect.USER32(?,?), ref: 00535EF8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a1e729d8b6c8e73c980f8c10c5b7ba23d984d4f82a63491485ac855f42e51452
Instruction ID: a60f866437524d66adb320c820fc611e804bf5c95fa9736db41641a6ce074f09
Opcode Fuzzy Hash: a1e729d8b6c8e73c980f8c10c5b7ba23d984d4f82a63491485ac855f42e51452
Instruction Fuzzy Hash: 34B16B75A00A4ADBDB10CFA9C4407EEBBF5FF54310F14981AE8A9D7250E734AA51EB50

Function 005601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005600D6
__allrem.LIBCMT ref: 005600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0056010B
__allrem.LIBCMT ref: 00560122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00560140

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 0a2682f2066a20971b4c261f7c443a2ee09c3c77797874906632cf3dc3d985ae
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A1810572A00B06ABE7249F68CC55B6B7BE9BF81324F24453AF851D76C1EB70D9448B90

Function 005661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005582D9,005582D9,?,?,?,0056644F,00000001,00000001,8BE85006), ref: 00566258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0056644F,00000001,00000001,8BE85006,?,?,?), ref: 005662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005663D8
__freea.LIBCMT ref: 005663E5

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

__freea.LIBCMT ref: 005663EE
__freea.LIBCMT ref: 00566413

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0636022660774090955b3cbb8c7c7a0a8ce45331dd902e08f70cfaf51afa43bf
Instruction ID: 6ef967b5e2c82bbbb54bf0544e1d8ca394d0f373340f1fb57eb102701b220b7c
Opcode Fuzzy Hash: 0636022660774090955b3cbb8c7c7a0a8ce45331dd902e08f70cfaf51afa43bf
Instruction Fuzzy Hash: 6651AF72B00216ABEB258F64DC95EAF7FA9FB84750F154A29F805DB240EB34DC44D6A0

Function 005BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BBD25
RegCloseKey.ADVAPI32(00000000), ref: 005BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BBDF3
RegCloseKey.ADVAPI32(?), ref: 005BBDFF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3626dc8f39072db9283d2de8ab3ce74aeb1466982c84f28388e71d74a3bbf60a
Instruction ID: a9326bd320cfa7af2c24b89e7e0af098482ea95ec415060bc882ccafb706d584
Opcode Fuzzy Hash: 3626dc8f39072db9283d2de8ab3ce74aeb1466982c84f28388e71d74a3bbf60a
Instruction Fuzzy Hash: ED81AF70208242AFD714DF24C895E6ABFE5FF84308F14895CF4994B2A2DBB1ED45CB92

Function 0058F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0058F7B9
SysAllocString.OLEAUT32(00000001), ref: 0058F860
VariantCopy.OLEAUT32(0058FA64,00000000), ref: 0058F889
VariantClear.OLEAUT32(0058FA64), ref: 0058F8AD
VariantCopy.OLEAUT32(0058FA64,00000000), ref: 0058F8B1
VariantClear.OLEAUT32(?), ref: 0058F8BB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f5ed179fe7f3e2b35c90b341d4cccf18347a9e0f8fdda480c8981a4095cece6e
Instruction ID: b1e4ae652ebde1b093284054abc2994afdd12b73889bcf520514552b36a2c91a
Opcode Fuzzy Hash: f5ed179fe7f3e2b35c90b341d4cccf18347a9e0f8fdda480c8981a4095cece6e
Instruction Fuzzy Hash: 6851B771600311BBDF14BB65D899B29BBA8FF99310F249866ED05FF291DB708C40CB66

Function 005A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005A94E5
_wcslen.LIBCMT ref: 005A9506
_wcslen.LIBCMT ref: 005A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 005A9585

Strings

X, xrefs: 005A9412

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 991efc3c513f5646d4ead6a099cd142abd5c194d472febf46ad886ef4ef848ca
Instruction ID: 9a5820e3f299bd788be51515ce49904b596029689b9dba1fa4dde90eac48ccea
Opcode Fuzzy Hash: 991efc3c513f5646d4ead6a099cd142abd5c194d472febf46ad886ef4ef848ca
Instruction Fuzzy Hash: F7E190719083119FDB24DF24C485A6EBBE4BFC9314F14896DF8899B2A2DB31DD05CB92

Function 0054920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

BeginPaint.USER32(?,?,?), ref: 00549241
GetWindowRect.USER32(?,?), ref: 005492A5
ScreenToClient.USER32(?,?), ref: 005492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005492D3
EndPaint.USER32(?,?,?,?,?), ref: 00549321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005871EA

Part of subcall function 00549339: BeginPath.GDI32(00000000), ref: 00549357

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3612f14497968d205017270065d644c681f440e4213c5869bbb31f0d60527c57
Instruction ID: 446150343bd75af970d65ceb31e9d362849110267a48046696273ff40652292e
Opcode Fuzzy Hash: 3612f14497968d205017270065d644c681f440e4213c5869bbb31f0d60527c57
Instruction Fuzzy Hash: 6B418C70108201AFD721DF24CC89FAB7FA9FB9A324F140669F9949B2A1C7719845DB61

Function 005A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005A0847
EnterCriticalSection.KERNEL32(?), ref: 005A0863
LeaveCriticalSection.KERNEL32(?), ref: 005A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005A0921

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c0ec240d3ae2b9254e47b09656d2949656fea8cfc5ed949009b0450637c63d3d
Instruction ID: b8f628f2d2eb2a9c6563a99c7f6620bb2d648225e8e5940f143c5817a720584d
Opcode Fuzzy Hash: c0ec240d3ae2b9254e47b09656d2949656fea8cfc5ed949009b0450637c63d3d
Instruction Fuzzy Hash: 2F418971900206EFDF04AF54DC89AAABBB8FF45300F1440A9ED049A297DB34DE65DBA4

Function 005C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0058F3AB,00000000,?,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 005C824C
EnableWindow.USER32(?,00000000), ref: 005C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005C82D1
ShowWindow.USER32(?,00000004), ref: 005C82E5
EnableWindow.USER32(?,00000001), ref: 005C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005C832F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3995b7330b07fa28a67049727489d39f6ff94749a02e526d3452b6114542b14f
Instruction ID: 3b2126bbeda44873b0d76b94fe38778f8a70170192e520ad67c3a7352ee5294b
Opcode Fuzzy Hash: 3995b7330b07fa28a67049727489d39f6ff94749a02e526d3452b6114542b14f
Instruction Fuzzy Hash: 50417D34601A44AFDB21CF95CC99FB57FE1FB4AB14F1852ADE5084F2A2CB31A845CB50

Function 00594C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00594C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00594CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00594CEA
_wcslen.LIBCMT ref: 00594D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00594D10
_wcsstr.LIBVCRUNTIME ref: 00594D1A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3359c9c1f2e113b5e4df71fefdbb914458925804b5c87a224375d1bc4d49ccae
Instruction ID: 533d5b1561ef722c0070159d5865a867e5c647bbc99b0440bb9d4bbb9455154d
Opcode Fuzzy Hash: 3359c9c1f2e113b5e4df71fefdbb914458925804b5c87a224375d1bc4d49ccae
Instruction Fuzzy Hash: 4221F636604201BFEF155B39AD49E7B7FACEF85754F10802AF809CE191EA61DC429BA0

Function 005A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

_wcslen.LIBCMT ref: 005A587B
CoInitialize.OLE32(00000000), ref: 005A5995
CoCreateInstance.OLE32(005CFCF8,00000000,00000001,005CFB68,?), ref: 005A59AE
CoUninitialize.OLE32 ref: 005A59CC

Strings

.lnk, xrefs: 005A5876, 005A58C1, 005A5985

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 872b258c1659538feb5d608312bc6ad1b8ae4a57c50c175ca4d3734bde9da6fc
Instruction ID: 5dd87272a128ea3ecdeac1bcc008710f3279db01abcb8b6a31c238f19bd5db94
Opcode Fuzzy Hash: 872b258c1659538feb5d608312bc6ad1b8ae4a57c50c175ca4d3734bde9da6fc
Instruction Fuzzy Hash: FBD151756086069FC714DF24C484E2EBBE5FF8A714F148859F88A9B361EB31EC45CB92

Function 0059175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00590FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00590FCA
Part of subcall function 00590FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00590FD6
Part of subcall function 00590FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00590FE5
Part of subcall function 00590FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00590FEC
Part of subcall function 00590FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00591002

GetLengthSid.ADVAPI32(?,00000000,00591335), ref: 005917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005917BA
HeapAlloc.KERNEL32(00000000), ref: 005917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005917DA
GetProcessHeap.KERNEL32(00000000,00000000,00591335), ref: 005917EE
HeapFree.KERNEL32(00000000), ref: 005917F5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3c5b2d6b90759eb5bf3743664514af75280eebdd12aad4b33e218e4c1d7066e3
Instruction ID: 6298789c9c8067de21b260bf2e1b68d9c6ef634a775a09f19fa16aa9f0a55b96
Opcode Fuzzy Hash: 3c5b2d6b90759eb5bf3743664514af75280eebdd12aad4b33e218e4c1d7066e3
Instruction Fuzzy Hash: 59119732A00A16EFDF149FA5CC49FAE7FB9FB41355F144418F486A7220C736A948DB68

Function 005914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00591506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00591515
CloseHandle.KERNEL32(00000004), ref: 00591520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00591563

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38da7e202e71d8ed8ebd5aa6f7ba115066dd50f8ea7f66dd86ef6cc3bb9b3a31
Instruction ID: bc46eb1f685e858d3e53e58b85313fc1bd991670db2f5247c69c1b6642f5246d
Opcode Fuzzy Hash: 38da7e202e71d8ed8ebd5aa6f7ba115066dd50f8ea7f66dd86ef6cc3bb9b3a31
Instruction Fuzzy Hash: E711447250060AAFDF118FA8ED49FDE7FA9FB48744F054028FA09A2060C3758E65AB64

Function 00553382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00553379,00552FE5), ref: 00553390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0055339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005533B7
SetLastError.KERNEL32(00000000,?,00553379,00552FE5), ref: 00553409

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 69b4b713091dda58d8e6bce89767fa2ae4c1feecbc048979436f0165da2a7b58
Instruction ID: 3de00270e9c8584405f566412600aca298d7b7e458ebb6c9fb88bbdbbf9c97d9
Opcode Fuzzy Hash: 69b4b713091dda58d8e6bce89767fa2ae4c1feecbc048979436f0165da2a7b58
Instruction Fuzzy Hash: BB012232208316AEAB1527747CAD96A2E58FB613BB320023FFC18851F0EE111D0EA548

Function 00562D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00565686,00573CD6,?,00000000,?,00565B6A,?,?,?,?,?,0055E6D1,?,005F8A48), ref: 00562D78
_free.LIBCMT ref: 00562DAB
_free.LIBCMT ref: 00562DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0055E6D1,?,005F8A48,00000010,00534F4A,?,?,00000000,00573CD6), ref: 00562DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0055E6D1,?,005F8A48,00000010,00534F4A,?,?,00000000,00573CD6), ref: 00562DEC
_abort.LIBCMT ref: 00562DF2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1061e64d3ea8daa0f390aab2cf962a6d94dcc5ab7e9efccf4c7fd5ca29d28458
Instruction ID: c455e8e0fc66d152c3a90e99d34abf76dda3306d054376d02ea35da2a0efd402
Opcode Fuzzy Hash: 1061e64d3ea8daa0f390aab2cf962a6d94dcc5ab7e9efccf4c7fd5ca29d28458
Instruction Fuzzy Hash: 14F0CD35544E026BC3122734BC1EE5F1D79BFD17A1F250814F828D31D1DF3488479260

Function 005C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00549639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496A2
Part of subcall function 00549639: BeginPath.GDI32(?), ref: 005496B9
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005C8A70
LineTo.GDI32(?,00000000,00000003), ref: 005C8A80
EndPath.GDI32(?), ref: 005C8A90
StrokePath.GDI32(?), ref: 005C8AA0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7257fbdb9862bbd2419df9e0f5e99a6565bd06dd04d8aea800c9626bb446bba2
Instruction ID: 89d794e17b7d4e8a9ce29e6dcedabb0d94e8350f7cc3633a550dd8feb61dc148
Opcode Fuzzy Hash: 7257fbdb9862bbd2419df9e0f5e99a6565bd06dd04d8aea800c9626bb446bba2
Instruction Fuzzy Hash: CE11397200010CFFDB129F90DC88EAA7F6DEB09350F008016FA599A1A0C7719D55EFA0

Function 005951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00595218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00595229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00595230
ReleaseDC.USER32(00000000,00000000), ref: 00595238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0059524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00595261

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3b05affc70b3b5b2cf9b852cd882a167d2cbcc27d23485bff2cfc4c8cbb10ce9
Instruction ID: 92363e7fd6a46b70c5ca352ce900686623693093aea7627e18403ab001ead071
Opcode Fuzzy Hash: 3b05affc70b3b5b2cf9b852cd882a167d2cbcc27d23485bff2cfc4c8cbb10ce9
Instruction Fuzzy Hash: 1A018475A01B04BFEF109BA59C49E4EBF78FB58351F044065FA08A7280D6709804DB60

Function 00531BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00531BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00531BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00531C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00531C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00531C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00531C22

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: df7cfe8bc8135b269ffc407111a131babb5558a73e41f9eecbcdaf01772c46bc
Instruction ID: 364d0f1c3d3262b3ed1065f56f45339856a1e95a2b15f06c87b85b1c639435b9
Opcode Fuzzy Hash: df7cfe8bc8135b269ffc407111a131babb5558a73e41f9eecbcdaf01772c46bc
Instruction Fuzzy Hash: 9D016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411BD15C4BA41C7F5A864CBE5

Function 0059EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0059EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0059EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0059EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB75

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 4bda8b20ccd75c0c478e3ea69a3bd3e2e5b7f2927081a05624ccc0e371575f5d
Instruction ID: 43f8c4e78050f10a957fb9c629c6e287b330e71be4690480a789862a03333330
Opcode Fuzzy Hash: 4bda8b20ccd75c0c478e3ea69a3bd3e2e5b7f2927081a05624ccc0e371575f5d
Instruction Fuzzy Hash: ADF09A72600958BFE7205B639C0EEEF3E7CEFDAB15F000158F605D1090D7A01A05E6B4

Function 00587439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00587452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00587469
GetWindowDC.USER32(?), ref: 00587475
GetPixel.GDI32(00000000,?,?), ref: 00587484
ReleaseDC.USER32(?,00000000), ref: 00587496
GetSysColor.USER32(00000005), ref: 005874B0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 405fb58a4dca160e89bba7f0b9a819dba06eed7965cc6c6e5bf432d9bdce9430
Instruction ID: c99213512833376631b4de95c1a0243a603e57e5a0fd29cb869549443b6012b1
Opcode Fuzzy Hash: 405fb58a4dca160e89bba7f0b9a819dba06eed7965cc6c6e5bf432d9bdce9430
Instruction Fuzzy Hash: 93018F31400A05EFEB109FA4DC08FAA7FB5FB14311F240060FD19A20B1CB311D46EB50

Function 00591874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0059187F
UnloadUserProfile.USERENV(?,?), ref: 0059188B
CloseHandle.KERNEL32(?), ref: 00591894
CloseHandle.KERNEL32(?), ref: 0059189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005918A5
HeapFree.KERNEL32(00000000), ref: 005918AC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4a11964a178573b812cd437419e516200e7e5a40cae0013ee070814a4b2a422d
Instruction ID: 8664fc03187144d7b08516d4aa354266aef95215d9e74f0b8aefe417dcb55c91
Opcode Fuzzy Hash: 4a11964a178573b812cd437419e516200e7e5a40cae0013ee070814a4b2a422d
Instruction Fuzzy Hash: 39E01A36404901BFDB015FA2ED0CD0ABF79FF69B22B108624F22981470CB329424EF50

Function 0053BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053BEB3

Strings

D%`, xrefs: 0053BE9A
D%`D%`, xrefs: 0053BCA5
D%`, xrefs: 0053BCA2
D%`, xrefs: 0053BDED, 0053BD91, 0053BD1B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%`$D%`$D%`$D%`D%`
API String ID: 1385522511-531244762
Opcode ID: 0ad0f4fd2de7d934747b514dd36bdf4f3af91443c3dd06f60f5967116dc05a93
Instruction ID: bc63fd1243a454109ed32fe597a69bb1b7c64627724b49e1e1fa8e4deb3bd666
Opcode Fuzzy Hash: 0ad0f4fd2de7d934747b514dd36bdf4f3af91443c3dd06f60f5967116dc05a93
Instruction Fuzzy Hash: 09916D75A0020ACFDB28CF58C4A16AABBF2FF58314F24456EDA45AB351D731ED81DB90

Function 005B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00550242: EnterCriticalSection.KERNEL32(0060070C,00601884,?,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055024D
Part of subcall function 00550242: LeaveCriticalSection.KERNEL32(0060070C,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055028A

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

__Init_thread_footer.LIBCMT ref: 005B7BFB

Part of subcall function 005501F8: EnterCriticalSection.KERNEL32(0060070C,?,?,00548747,00602514), ref: 00550202
Part of subcall function 005501F8: LeaveCriticalSection.KERNEL32(0060070C,?,00548747,00602514), ref: 00550235

Strings

Variable must be of type 'Object'., xrefs: 005B7C3A
G, xrefs: 005B7C7F
5, xrefs: 005B7C78
+TX, xrefs: 005B7E2E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TX$5$G$Variable must be of type 'Object'.
API String ID: 535116098-619909410
Opcode ID: 3546736a0836daaf75db13fad15d58f1564497c6f81b7af1682c36eb05a631fa
Instruction ID: 17f38cb3bc47b176bc42abb0dcdefc6896780fdc388496750e785929cc7ee57c
Opcode Fuzzy Hash: 3546736a0836daaf75db13fad15d58f1564497c6f81b7af1682c36eb05a631fa
Instruction Fuzzy Hash: 3F918C70A0420AAFCB14EF94D895DEDBFB6FF88304F108459F8169B292DB71AE45CB51

Function 0059C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059C6EE
_wcslen.LIBCMT ref: 0059C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0059C7CA

Strings

0, xrefs: 0059C6AF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 137472079fb11ef7fb90374fad72fb9ed55a3c3b63497e6223a474567cd1da20
Instruction ID: 8d701adf38c0b33e71fd89e3b05b8cf126e7f399e3ba27d60c0657cf83df1de2
Opcode Fuzzy Hash: 137472079fb11ef7fb90374fad72fb9ed55a3c3b63497e6223a474567cd1da20
Instruction Fuzzy Hash: 2051AB716043019BDB14DF68C889BABBFE8FF8A354F040A2DF995D71E0DB64D9049B92

Function 0059719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00597206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0059723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0059724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005972CF

Strings

DllGetClassObject, xrefs: 00597242

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d449f5ba43e1ad72f4c0fce6e67c9813ba5370f13658f3017a6bc15754f67e9d
Instruction ID: 83aa84567c8c8821bca7879429315cec54a6591e82e91c68204b60a3e8ad065f
Opcode Fuzzy Hash: d449f5ba43e1ad72f4c0fce6e67c9813ba5370f13658f3017a6bc15754f67e9d
Instruction Fuzzy Hash: 17416075624208DFDF15CF54C884A9A7FA9FF48710F1584AAFD099F20AD7B0DA44DBA0

Function 005C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C3E35
IsMenu.USER32(?), ref: 005C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C3E92
DrawMenuBar.USER32 ref: 005C3EA5

Strings

0, xrefs: 005C3D89

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d8e8de7148164d1738bc36487d10f1a4a2a90cf1a2d314180c91cf324fe70d65
Instruction ID: 1a6aed27f76a6c740d425bbcaaec1d73b1005d5139b4318ff70588fdd488e375
Opcode Fuzzy Hash: d8e8de7148164d1738bc36487d10f1a4a2a90cf1a2d314180c91cf324fe70d65
Instruction Fuzzy Hash: 76412475A0120DAFDB10DFA0D884EAABFB9FF49354F04812DE905AB250D730AE45DFA0

Function 00591DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00591E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00591E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00591EA9

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Strings

ListBox, xrefs: 00591E25
ComboBox, xrefs: 00591DF0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ce6a1e0c7d866eca263e8e3957412d18a14a4d5aea80f1ff03e024691abd3906
Instruction ID: 3956994361d14dba10889bc4d9660d0b0568a7d9980dfe993820a59065029884
Opcode Fuzzy Hash: ce6a1e0c7d866eca263e8e3957412d18a14a4d5aea80f1ff03e024691abd3906
Instruction Fuzzy Hash: F121E475A0050ABEDF149B64DC49CFFBFACBF85350F104519F925A72E1DB744D099620

Function 005C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005C2F8D
LoadLibraryW.KERNEL32(?), ref: 005C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005C2FA9
DestroyWindow.USER32(?), ref: 005C2FB1

Strings

SysAnimate32, xrefs: 005C2F68

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9b9fc73f66c4fc5af13e453bf9b19f9fac41b598f9e5c11c41f16f02631c3f77
Instruction ID: 99336e43692a16806487530c70c9df99a7436b15191856efe7efd9b3685ef67c
Opcode Fuzzy Hash: 9b9fc73f66c4fc5af13e453bf9b19f9fac41b598f9e5c11c41f16f02631c3f77
Instruction Fuzzy Hash: E921B871200209AFEB208EA49C86FBB3BB9FB59324F10421CFA54D6190D671DC81AB60

Function 00554D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00554D1E,005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002), ref: 00554D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00554DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00554D1E,005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000), ref: 00554DC3

Strings

mscoree.dll, xrefs: 00554D86
CorExitProcess, xrefs: 00554D98

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 878a459e10d7188789e707665f4d28cd8e2fe44a6be9c9c92eb56e97955272bc
Instruction ID: 5b25c015e2f7b0828a883115ee47896aafcb4049e608014b21db3998e9b9c300
Opcode Fuzzy Hash: 878a459e10d7188789e707665f4d28cd8e2fe44a6be9c9c92eb56e97955272bc
Instruction Fuzzy Hash: EDF08C30A00208AFDB109B94DC09BAEBFB8FF54712F0400A6EC09A62A0CB305989DF90

Function 00534E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00534EAE
FreeLibrary.KERNEL32(00000000,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EC0

Strings

kernel32.dll, xrefs: 00534E94
Wow64DisableWow64FsRedirection, xrefs: 00534EA8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 66eb9bd0beb1260b809d4367fb6b29249561490c8ae0f86984d813d1a3585774
Instruction ID: 42e7716581a0eb25a0c992f80439c47713e5674a5727b4b2f95f9483f77b87c7
Opcode Fuzzy Hash: 66eb9bd0beb1260b809d4367fb6b29249561490c8ae0f86984d813d1a3585774
Instruction Fuzzy Hash: D6E08635A01A225FD22117266C18F6B6F58BF92B62B090115FD08D2210DB74DD0AA4E1

Function 00534E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00534E74
FreeLibrary.KERNEL32(00000000,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E87

Strings

kernel32.dll, xrefs: 00534E5B
Wow64RevertWow64FsRedirection, xrefs: 00534E6E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: faed529d8e38ffb0654edd781660288b407b9670548ad42ea241de23a578d4ef
Instruction ID: a4fdc5fdd93d930d70be7e1d155bf6b790810c644ec12d9a9d58833752a76d9a
Opcode Fuzzy Hash: faed529d8e38ffb0654edd781660288b407b9670548ad42ea241de23a578d4ef
Instruction Fuzzy Hash: 11D0C232902A215F96231B66AC08E8B2F1CBF81F113090114F908A6110CF30CD06E9D1

Function 005A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2C05
DeleteFileW.KERNEL32(?), ref: 005A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2CC0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2ce30551b8aa1f64b853633ff2e22907b84a7438c021b5173cc570a853de5111
Instruction ID: 0735848d28efb613e53991e1f95d68752ec79329d4eb4860a9900692c1f883f2
Opcode Fuzzy Hash: 2ce30551b8aa1f64b853633ff2e22907b84a7438c021b5173cc570a853de5111
Instruction Fuzzy Hash: E2B1507290011AABDF25DBA4CC8AEDE7F7DFF49350F1040A6F509E6151EA319E448F61

Function 005BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 005BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005BA468
CloseHandle.KERNEL32(?), ref: 005BA63D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f24799e9661dc39b33fe699f7522925944c9e4b8591be66d0b6e825352164dae
Instruction ID: d12e44a63954d154bc287515fa5af3bde97b2340b15590643e4633bf9da90a2e
Opcode Fuzzy Hash: f24799e9661dc39b33fe699f7522925944c9e4b8591be66d0b6e825352164dae
Instruction Fuzzy Hash: 72A16E71604301AFDB20DF24D886F6ABBE5BF84714F14885DF69A9B2D2D770EC418B92

Function 0056BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005D3700), ref: 0056BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0060121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0056BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00601270,000000FF,?,0000003F,00000000,?), ref: 0056BC36
_free.LIBCMT ref: 0056BB7F

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056BD4B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2c79d36287c9c7409effbc0d877e8e88c262e33c741e6e121a78c9ab8977efba
Instruction ID: 097ed2e0c6eaf7b5be215a172188be3934932afdeb217a4814da591a048e9d87
Opcode Fuzzy Hash: 2c79d36287c9c7409effbc0d877e8e88c262e33c741e6e121a78c9ab8977efba
Instruction Fuzzy Hash: 2451D67190020AAFEB20DF65DC8596EBFB8FB81350B10066AE554DB2A1EB309FC1CB50

Function 0059E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0059CF22,?), ref: 0059DDFD

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0059CF22,?), ref: 0059DE16

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

lstrcmpiW.KERNEL32(?,?), ref: 0059E473
MoveFileW.KERNEL32(?,?), ref: 0059E4AC
_wcslen.LIBCMT ref: 0059E5EB
_wcslen.LIBCMT ref: 0059E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0059E650

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e2202a23f5722cba0abdbf22bd16f8f52fb2035b3bc4568c3e14cb3f7c33f898
Instruction ID: 7797bde78e17b2c3a3167bdbad7e0dbf0f469d5499ace1e07a078484cc6ba6b6
Opcode Fuzzy Hash: e2202a23f5722cba0abdbf22bd16f8f52fb2035b3bc4568c3e14cb3f7c33f898
Instruction Fuzzy Hash: CB5142B24083459BCB24DB90D8959DFBBECBFC4340F00491EF589D3191EE75A588C766

Function 005BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005BBB63
RegCloseKey.ADVAPI32(?,?), ref: 005BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 005BBBB3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: aeb2ebe77d7cd7cb8c01fa962d8a75f8c4aba22b21b780e178e15e3d1b29432a
Instruction ID: 94cbfb41a7024b00f0ab1c6ed890c13ec7fefb1cd3af80d9e1f69fefc01aea45
Opcode Fuzzy Hash: aeb2ebe77d7cd7cb8c01fa962d8a75f8c4aba22b21b780e178e15e3d1b29432a
Instruction Fuzzy Hash: F5619F71608241AFD714DF14C894E6ABFE5FF84308F14895CF4998B2A2DBB1ED45CB92

Function 00598BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00598BCD
VariantClear.OLEAUT32 ref: 00598C3E
VariantClear.OLEAUT32 ref: 00598C9D
VariantClear.OLEAUT32(?), ref: 00598D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00598D3B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: dcaa1f8e1f40caae5aed9bf2464556030c7cf764ea08638284907071e68ead18
Instruction ID: d71ce83e84cb9af9a35576298b1263f7ad417aa35ff94398092de6be18de7e3a
Opcode Fuzzy Hash: dcaa1f8e1f40caae5aed9bf2464556030c7cf764ea08638284907071e68ead18
Instruction Fuzzy Hash: 475148B5A00619EFCF14CF68C894EAABBF9FF89314B158559E909DB350E730E911CB90

Function 005A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005A8C5F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 01a79f95b551d971661d6c188700dc0687cdf3807468f550740041009aa78963
Instruction ID: 5c35761e5f6e10c2c17bcdc862240d06b30bfb398698c1d4911dfe81e0749c0d
Opcode Fuzzy Hash: 01a79f95b551d971661d6c188700dc0687cdf3807468f550740041009aa78963
Instruction Fuzzy Hash: 83514875A00219AFCB14DF65C884A6DBBF5FF89314F088058E849AB362DB31ED51CB90

Function 005B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 005B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 005B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 005B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 005B9032
FreeLibrary.KERNEL32(00000000), ref: 005B9052

Part of subcall function 0054F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005A1043,?,7529E610), ref: 0054F6E6
Part of subcall function 0054F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0058FA64,00000000,00000000,?,?,005A1043,?,7529E610,?,0058FA64), ref: 0054F70D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: dc0b767fc09d14111f27f36b62273cbc6f1eca6254d268c326e9fb2a1e632672
Instruction ID: 47139383eac2ff9ab06ce4380d31e7531ab493e092662e2b967d70b2c48883aa
Opcode Fuzzy Hash: dc0b767fc09d14111f27f36b62273cbc6f1eca6254d268c326e9fb2a1e632672
Instruction Fuzzy Hash: 1F510875604205DFCB15EF58C4989E9BFB1FF89314F098099E90A9B362DB31ED86CB90

Function 005C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005AAB79,00000000,00000000), ref: 005C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005C6CC7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a48460bfd6f5c9f5682a9ce2b4e2cad0fe39ffd010bd577ddfa59f4c4b2a05e5
Instruction ID: 17a3dd10ac7080cd3a536f6a682067e60eba07771252402e2d17b13c480cc2e6
Opcode Fuzzy Hash: a48460bfd6f5c9f5682a9ce2b4e2cad0fe39ffd010bd577ddfa59f4c4b2a05e5
Instruction Fuzzy Hash: F241D535A04104AFD724CFA8CD58FAA7FA5FB09350F14022CF899AB2E1C371EE41DA80

Function 00562051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005620C3
_free.LIBCMT ref: 005620E3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74bee9f766522d23ef11272473ac916ad9023062521924c20880734659abc485
Instruction ID: a96db8b859ab23736f8390932fb9ac837564d11313f2c888d5c2c44e172fca74
Opcode Fuzzy Hash: 74bee9f766522d23ef11272473ac916ad9023062521924c20880734659abc485
Instruction Fuzzy Hash: 6D41E432A006049FCB24DF78C985A6DBBF5FF89324F154569E915EB352DB31AD01CB80

Function 0054912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00549141
ScreenToClient.USER32(00000000,?), ref: 0054915E
GetAsyncKeyState.USER32(00000001), ref: 00549183
GetAsyncKeyState.USER32(00000002), ref: 0054919D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cb7bb5c4dd39d161f977f52cb5335ebbe127f18e7c67bcc1b49c71193f42f72c
Instruction ID: dd733f972f30cf9fc417fdcbdfd27934be4f68157fc99e8e911d55edc8937511
Opcode Fuzzy Hash: cb7bb5c4dd39d161f977f52cb5335ebbe127f18e7c67bcc1b49c71193f42f72c
Instruction Fuzzy Hash: 78415F3190850BBFDF15AF64C849BEEBB74FB49324F204219E829A2290C730AD54DB91

Function 005A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 005A3922
TranslateMessage.USER32(?), ref: 005A394B
DispatchMessageW.USER32(?), ref: 005A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A3966

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7eecfa83ca6f479e765c48b71b8323ca01bf1a223d1491ae3961003640c29a8c
Instruction ID: 44f50a5f071a818490406688b655107db556660ecbcd413e6aebc1603b45a426
Opcode Fuzzy Hash: 7eecfa83ca6f479e765c48b71b8323ca01bf1a223d1491ae3961003640c29a8c
Instruction Fuzzy Hash: 6D31A0709443469FEB25CF749848BBB3FA8FB17308F04456DF466861A0E3B49A89DB21

Function 005ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 005ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFF2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5f2c332e9417e97d597824e1731dfb0be80474b72d97a539a1b6d8b5fa17867a
Instruction ID: a2874d40c5ffd4a2d9cc2b860902be3e305c06343a0d2c8f04ad428c596510f1
Opcode Fuzzy Hash: 5f2c332e9417e97d597824e1731dfb0be80474b72d97a539a1b6d8b5fa17867a
Instruction Fuzzy Hash: 90317C71900605AFDB20DFA5D884EAFBFF9FB15314B10442EF50AD2100DB30AE45DB60

Function 00591901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00591915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005919E2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 99205e29eb14637b6fb41beab13da5805e292ab12959996ebd6eb2adce077048
Instruction ID: fbaaffe383f5efdd387224eab5836f230ac1cf293500b2808148b11aeaed8f0d
Opcode Fuzzy Hash: 99205e29eb14637b6fb41beab13da5805e292ab12959996ebd6eb2adce077048
Instruction Fuzzy Hash: EE31AD71A0062AEFDF00CFA8C999ADE3FB5FB54315F104229F926AB2D1C7709944DB90

Function 005C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005C579D
_wcslen.LIBCMT ref: 005C57AF
_wcslen.LIBCMT ref: 005C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005C5816

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d890983968d1a17ba8632a1b55be6e84fb538dd58d1ef23a612aa63f29c5d53c
Instruction ID: b74189f45cf28a4887f41f3400814800ffc0f205e3176dd07520e141720a258c
Opcode Fuzzy Hash: d890983968d1a17ba8632a1b55be6e84fb538dd58d1ef23a612aa63f29c5d53c
Instruction Fuzzy Hash: AE2150719046189EDB209FE4CC85FEE7FB8FB54724F10865AE919AA180E770A9C5CF90

Function 005B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005B0951
GetForegroundWindow.USER32 ref: 005B0968
GetDC.USER32(00000000), ref: 005B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 005B09B0
ReleaseDC.USER32(00000000,00000003), ref: 005B09E8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 45887848aeb10cd7e34415e8a0e71aa089c1d68c9db1568b975954adc75cda0a
Instruction ID: 05fe9796a96f033b533a05a8596bc0b17163b448f8e48c1c64b78e8a792406c8
Opcode Fuzzy Hash: 45887848aeb10cd7e34415e8a0e71aa089c1d68c9db1568b975954adc75cda0a
Instruction Fuzzy Hash: AA218135600604AFD704EF69C989EAEBFE9FF89740F048468E84A97752DB30EC44DB50

Function 0056CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0056CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0056CDE9

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0056CE0F
_free.LIBCMT ref: 0056CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0056CE31

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8a8566d3c09289805e5e74ee3f0296566f592e893a8bdf562061c34e16289585
Instruction ID: f4606196e627e01545ca7b49ce360495bcf10c5bae01bd6d4cff09394fecf260
Opcode Fuzzy Hash: 8a8566d3c09289805e5e74ee3f0296566f592e893a8bdf562061c34e16289585
Instruction Fuzzy Hash: 45018472A026557F233216B66C8CD7B7D7DFEC6FA13150129F949C7201EA668D0191B0

Function 00549639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
SelectObject.GDI32(?,00000000), ref: 005496A2
BeginPath.GDI32(?), ref: 005496B9
SelectObject.GDI32(?,00000000), ref: 005496E2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 13062efce0db8c2cfc3940c11a2a3a3aca9e99242dc19fb8caaef126d0856add
Instruction ID: 3f2653f5cbcb04633284ca90c1dd1656803f6152c89b789001b395ba66250323
Opcode Fuzzy Hash: 13062efce0db8c2cfc3940c11a2a3a3aca9e99242dc19fb8caaef126d0856add
Instruction Fuzzy Hash: 13219530842309EFDB119F65EC09BEB3FB6BB52319F110216F414AA1B0D3709855DF94

Function 00595711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00595726
_memcmp.LIBVCRUNTIME ref: 00595744
_memcmp.LIBVCRUNTIME ref: 00595757
_memcmp.LIBVCRUNTIME ref: 0059576F
_memcmp.LIBVCRUNTIME ref: 00595787

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 59513758d8477797382fe89bbed00e65fb8371632d310fd5f5c8007e7822cf02
Instruction ID: f63170801d2a822bb71544c90224884cbbd3fdf90f3e2772ab9575a2a13e0b72
Opcode Fuzzy Hash: 59513758d8477797382fe89bbed00e65fb8371632d310fd5f5c8007e7822cf02
Instruction Fuzzy Hash: 7501D261241A0ABFDA095790ADA2FBA7F5DFB603D9B004425FE059A241F730EE2483E4

Function 00562DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6), ref: 00562DFD
_free.LIBCMT ref: 00562E32
_free.LIBCMT ref: 00562E59
SetLastError.KERNEL32(00000000,00531129), ref: 00562E66
SetLastError.KERNEL32(00000000,00531129), ref: 00562E6F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ec0e6e35a35ce7f3418a73970f85d661adbf0df7e2c5ef885ff3509b44081740
Instruction ID: 78c0e5f3a2a43e0d3026c46f41c79b0d7d6edef62869aa21a908212c43fd52bc
Opcode Fuzzy Hash: ec0e6e35a35ce7f3418a73970f85d661adbf0df7e2c5ef885ff3509b44081740
Instruction Fuzzy Hash: FE01F436645E026BC71227346C49D3B2E6DBBE17A1F254838F429E32D2EB268C459120

Function 0059000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?,?,0059035E), ref: 0059002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?), ref: 00590064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590070

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b48ac0447dfccb193235b80842fa3e35bf0b6e03b8b5bcfaffcd4cfdf318d4c0
Instruction ID: bed412c5a38d9268181dbf1572f5349f3cbd9d4103141f3bdb5696286efc0cfb
Opcode Fuzzy Hash: b48ac0447dfccb193235b80842fa3e35bf0b6e03b8b5bcfaffcd4cfdf318d4c0
Instruction Fuzzy Hash: 7A018B72600604BFDF108F69DC08FAA7EEDFB44792F585924F909D2250E771DD44ABA0

Function 005910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 56fc81d38194af887be92247e132efda552d8354228470bd453419109f0b19e5
Instruction ID: a7974c429b1fefb0991031639b2d3d7df6d4f9c774255f46aa3de946898f0eb8
Opcode Fuzzy Hash: 56fc81d38194af887be92247e132efda552d8354228470bd453419109f0b19e5
Instruction Fuzzy Hash: CD01F675200A15BFDB114BA5DC49E6A3FAEEF892A0B244419FA49D6260DB31DC05EA60

Function 00590FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00590FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00590FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00590FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00590FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00591002

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 77676047ba9f4db5e506a2b8142005bca04714ec9ea73f513cfc525c06f65208
Instruction ID: 296ad8ca1bb46db5829628f072cfa4c3f2523d447a7ea9e6772979c26ca132f5
Opcode Fuzzy Hash: 77676047ba9f4db5e506a2b8142005bca04714ec9ea73f513cfc525c06f65208
Instruction Fuzzy Hash: A0F0A935200B12AFDB210FA6AC4DF5A3FADFF99762F100414FA09D6250DA31DC40DA60

Function 00591014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0059102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00591036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0059104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591062

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed0a2c779fb9f97fa0542e8994a8dcf47a1873f7f621141a27d8fafc0f5b8baf
Instruction ID: 91765aba19a3cfcc9651e26ffad2b712c6fe2058978d34525089e87588b77c7a
Opcode Fuzzy Hash: ed0a2c779fb9f97fa0542e8994a8dcf47a1873f7f621141a27d8fafc0f5b8baf
Instruction Fuzzy Hash: 2FF04935200B12AFDB215FA6EC4DF5A3FADFF997A1F140414FA49D6250CA71D8449A60

Function 005A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0324
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0331
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A033E
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A034B
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0358
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0365

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fec606dadb228b10723eaf33bd2bdfc3a1e1aa56caa838894cc02f76c439dbb2
Instruction ID: 6f0d079c97ea20e70eb8295672e6f076cf2c6479158f536268aa13d2c68f1cc2
Opcode Fuzzy Hash: fec606dadb228b10723eaf33bd2bdfc3a1e1aa56caa838894cc02f76c439dbb2
Instruction Fuzzy Hash: 2301AE72810B159FCB30AF66D88081AFBF9BF613163159E3FD19652971C3B1A958DF80

Function 0056D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056D752

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056D764
_free.LIBCMT ref: 0056D776
_free.LIBCMT ref: 0056D788
_free.LIBCMT ref: 0056D79A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6165d4adee7a8261d40bf45edf058c4607b23935983dbade1e034f4d152baf1f
Instruction ID: 5f99fcd1ed527610c428fc5c82cb3adc274021e6f19a2960b6d7241f0d50b93d
Opcode Fuzzy Hash: 6165d4adee7a8261d40bf45edf058c4607b23935983dbade1e034f4d152baf1f
Instruction Fuzzy Hash: 1FF04F32B00609AB8625EB64FAC5D267FEDFB84390B940C15F049D7502CB24FC80C671

Function 00595C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00595C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00595C6F
MessageBeep.USER32(00000000), ref: 00595C87
KillTimer.USER32(?,0000040A), ref: 00595CA3
EndDialog.USER32(?,00000001), ref: 00595CBD

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0beaf7d93edbd2de920983946fee974871339404552495eee7e3ac9002183346
Instruction ID: a212b493eb7e2c83836d31cecbb46406490c210bb22af78f80910e268bf2d93b
Opcode Fuzzy Hash: 0beaf7d93edbd2de920983946fee974871339404552495eee7e3ac9002183346
Instruction Fuzzy Hash: 78018130500B04AFEF215B14DE4EFA67FB8FB10B05F000559E687A15E1EBF4AD989B90

Function 005622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005622BE

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 005622D0
_free.LIBCMT ref: 005622E3
_free.LIBCMT ref: 005622F4
_free.LIBCMT ref: 00562305

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 51f04cd51465826e2b5efba379beaef6af01ebd01d5ad1665db70aea9c3ab68d
Instruction ID: 30cb43ac13e39556a72fc0872eb8b47aa6f282402621ab2759068de3879dfd62
Opcode Fuzzy Hash: 51f04cd51465826e2b5efba379beaef6af01ebd01d5ad1665db70aea9c3ab68d
Instruction Fuzzy Hash: 6AF0B4745809128BC716AF64BC0191A3FA6F759790F00111AF418C7271D7340681FFE4

Function 005495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005495D4
StrokeAndFillPath.GDI32(?,?,005871F7,00000000,?,?,?), ref: 005495F0
SelectObject.GDI32(?,00000000), ref: 00549603
DeleteObject.GDI32 ref: 00549616
StrokePath.GDI32(?), ref: 00549631

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6e5fa6a4735b7650ef7bad1a48f75d127807dffa86a17e1d5b2d5e830175abec
Instruction ID: f015ac01a94c85940fc325200031f3a8797b15188ee84c4026777fe632acb3b1
Opcode Fuzzy Hash: 6e5fa6a4735b7650ef7bad1a48f75d127807dffa86a17e1d5b2d5e830175abec
Instruction Fuzzy Hash: 48F06231045708EFDB165F65ED1DBAA3F62FB12326F149214F469690F0C7308995EF60

Function 00560F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005610F9
__freea.LIBCMT ref: 00561117

Part of subcall function 00561537: _free.LIBCMT ref: 0056154F

Strings

a/p, xrefs: 005611DE
am/pm, xrefs: 0056117A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e1d217ccb8c6e9323f19dbb2cbeb94420b631f328601bc024f4bd135377e86d0
Instruction ID: b841d5ac47cbc8edf6f4de943b32ea763735481d4e1781ad2ceb2e1bbb3b5f93
Opcode Fuzzy Hash: e1d217ccb8c6e9323f19dbb2cbeb94420b631f328601bc024f4bd135377e86d0
Instruction Fuzzy Hash: 4DD1F235A00A06CBCB249F68C859BFABFB1FF06310F2C4959E9069B750D7359D80CB99

Function 005B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00550242: EnterCriticalSection.KERNEL32(0060070C,00601884,?,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055024D
Part of subcall function 00550242: LeaveCriticalSection.KERNEL32(0060070C,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055028A

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

__Init_thread_footer.LIBCMT ref: 005B6238

Part of subcall function 005501F8: EnterCriticalSection.KERNEL32(0060070C,?,?,00548747,00602514), ref: 00550202
Part of subcall function 005501F8: LeaveCriticalSection.KERNEL32(0060070C,?,00548747,00602514), ref: 00550235

Part of subcall function 005A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005A35E4
Part of subcall function 005A359C: LoadStringW.USER32(00602390,?,00000FFF,?), ref: 005A360A

Strings

x#`, xrefs: 005B633A
x#`, xrefs: 005B6353
x#`, xrefs: 005B636F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#`$x#`$x#`
API String ID: 1072379062-3950501536
Opcode ID: b5087c9e2f31a008b57a3a53fd5973eadd4ed481909863c534b08145aad20205
Instruction ID: 8fc4dd54d04c711968db93dd9f8fe52ea22c3e0961ce64eb508e5d683ab4d2f5
Opcode Fuzzy Hash: b5087c9e2f31a008b57a3a53fd5973eadd4ed481909863c534b08145aad20205
Instruction Fuzzy Hash: C3C15B71A00106AFDB24DF58C895EFEBBB9FF48300F148469E9459B291DB74ED45CB90

Function 00565AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOS, xrefs: 00565BA8, 00565C6C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: JOS
API String ID: 0-131039872
Opcode ID: 0dc427438055e99682d4576b438a0b8e652b7ab1d7c5666f1a04c0580a8cb1fe
Instruction ID: 307a3d9f96195156a42e76cd81f1b6119ffd3cfe4638671679f4e197ffb3729d
Opcode Fuzzy Hash: 0dc427438055e99682d4576b438a0b8e652b7ab1d7c5666f1a04c0580a8cb1fe
Instruction Fuzzy Hash: 0251C175D8060AAFDB219FA8CC49FAE7FB8FF45310F14045AF805A72A1EA319D01DB61

Function 00568A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00568B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00568B7A
__dosmaperr.LIBCMT ref: 00568B81

Strings

.U, xrefs: 00568A63

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .U
API String ID: 2434981716-2997353397
Opcode ID: 39c2d8ff317c2af3ffa31326bdc568f7662d1500ae8adead4359b60af4793081
Instruction ID: 8addc591414bbbc88ba0b24e7f7f3026b56ed0451037cc19d2f9675f1fd3098c
Opcode Fuzzy Hash: 39c2d8ff317c2af3ffa31326bdc568f7662d1500ae8adead4359b60af4793081
Instruction Fuzzy Hash: EF417BB0604045AFDB249F68DC84A7D7FA6FB85314F2C87AAF88587662DE31CC029790

Function 00592716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005921D0,?,?,00000034,00000800,?,00000034), ref: 0059B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00592760

Part of subcall function 0059B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0059B3F8

Part of subcall function 0059B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0059B355
Part of subcall function 0059B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00592194,00000034,?,?,00001004,00000000,00000000), ref: 0059B365
Part of subcall function 0059B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00592194,00000034,?,?,00001004,00000000,00000000), ref: 0059B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0059281A

Strings

@, xrefs: 00592832

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d5306c8b1acac34b2939212098dcff63d7b75e7cccf82755e4abab1fb6abdd3b
Instruction ID: d6bd3b4521ec04ba36f615a62d8ecb11cb03b2617797f7ead847b7d5d9685c1c
Opcode Fuzzy Hash: d5306c8b1acac34b2939212098dcff63d7b75e7cccf82755e4abab1fb6abdd3b
Instruction Fuzzy Hash: 97412972900219BEEF10DBA4D945EEEBBB8FF49300F104099EA55B7181DB706E85DBA0

Function 0056172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00561769
_free.LIBCMT ref: 00561834
_free.LIBCMT ref: 0056183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00561760, 00561767, 00561796, 005617CE

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: bfc0d28228c7756a9264df00742996b15a1d5d0dfa2b07e46dffe6b4e14c1160
Instruction ID: 829883e48f458185cac023ac1aab02729fc7e743f1b76fb2ed50b8b12c0bc39e
Opcode Fuzzy Hash: bfc0d28228c7756a9264df00742996b15a1d5d0dfa2b07e46dffe6b4e14c1160
Instruction Fuzzy Hash: A1319C71A40609ABDB21DB999885DAEBFFCFB85310F18416AF804DB211DA708A80CB94

Function 0059C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0059C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0059C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00601990,010F5618), ref: 0059C395

Strings

0, xrefs: 0059C2DF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 40ad23b7e24e4cf56c58f52bf775cf0ac3cbe458619e432b314026364851f00e
Instruction ID: 6b99481e676daf61c2e2041d12032c960a36ed5662c99fa90374189bfe8e8723
Opcode Fuzzy Hash: 40ad23b7e24e4cf56c58f52bf775cf0ac3cbe458619e432b314026364851f00e
Instruction Fuzzy Hash: 79417F712043029FDB24DF29D885B5ABFE4BF85320F148A5DF9A5972D1D770E904CB52

Function 005C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005CCC08,00000000,?,?,?,?), ref: 005C44AA
GetWindowLongW.USER32 ref: 005C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C44D7

Strings

SysTreeView32, xrefs: 005C447C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b61feb5c5837f3000655948624d25c8ebada9428768396186e0516a6dcb12848
Instruction ID: 2c5d1d614dc950143a0c236e3b3adb7d2edd3210c30bf7e4f574083ff796b393
Opcode Fuzzy Hash: b61feb5c5837f3000655948624d25c8ebada9428768396186e0516a6dcb12848
Instruction Fuzzy Hash: D1316931210606AFDF248EB8DC99FEA7FA9FB48324F204719F979921E0D774AC509B50

Function 00596E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00596EED
VariantCopyInd.OLEAUT32(?,?), ref: 00596F08
VariantClear.OLEAUT32(?), ref: 00596F12

Strings

*jY, xrefs: 00596E8B, 00596E90, 00596EF8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jY
API String ID: 2173805711-1195274329
Opcode ID: b63aec31f8c7aac3d2264b56cae887d7931828048f5459a86b71dc6a8cc8ced6
Instruction ID: c30b64a8e45e8c31607e840db6ab4a1efb13e809c354a7ec7fea10015b2e1209
Opcode Fuzzy Hash: b63aec31f8c7aac3d2264b56cae887d7931828048f5459a86b71dc6a8cc8ced6
Instruction Fuzzy Hash: 29318F72604246DFDF09AFA4E8959BE7F75FF85300F100899F9034B2A1D738995ADBA0

Function 005B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005B3077,?,?), ref: 005B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
_wcslen.LIBCMT ref: 005B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 005B3106

Strings

255.255.255.255, xrefs: 005B3095, 005B309A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 75e9ed3ea6851fed1bab0c7006ff3aa74b7ae8194f5dd8432f1a76674883cb6e
Instruction ID: b58523df02058bae545a61918e06e4707bcb74d639c458981188e66fdb345fa4
Opcode Fuzzy Hash: 75e9ed3ea6851fed1bab0c7006ff3aa74b7ae8194f5dd8432f1a76674883cb6e
Instruction Fuzzy Hash: 4331C4396042059FC710DF28C489EEA7FE4FF54318F248459E915AB3A2DB71EE45CB60

Function 005C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005C471A

Strings

msctls_updown32, xrefs: 005C4684

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 20c2a185deb19a2f01e0d9b650af355edadacbe328ee6a57bf9fa4fb0d49ea6e
Instruction ID: fb578ebc212f156a9965150a961881ded485c56d30e5e056055ace65dec6fde2
Opcode Fuzzy Hash: 20c2a185deb19a2f01e0d9b650af355edadacbe328ee6a57bf9fa4fb0d49ea6e
Instruction Fuzzy Hash: CB215EB5600209AFDB10DF68DC95DB73BEDFB9A394B040059FA059B351CB30EC52DA60

Function 005995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059961D

Strings

#OnAutoItStartRegister, xrefs: 005995F3
#requireadmin, xrefs: 005995D9
#notrayicon, xrefs: 005995B7

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 67b570000df6b02fce49112ac591cec5b3e32fc5aae40a0ad12dec7db21693c1
Instruction ID: af21cfe12ade0bbfa9439c9be24064df748add6d4318450cad06b8aec92e9598
Opcode Fuzzy Hash: 67b570000df6b02fce49112ac591cec5b3e32fc5aae40a0ad12dec7db21693c1
Instruction Fuzzy Hash: 0F21267210451266DB31AA2CDC16FB77FACBF95310F10442EF94997041EB51AD45C3D5

Function 005C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005C3876

Strings

Listbox, xrefs: 005C380F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ce61431aee6eb7118d87e1e1ec8a98ed3975c2b265884a602b775f7f9493a468
Instruction ID: d3ce60f7799fc1e65e67fd4f238c5b988e6a25bd0318f873baf2fb2c553b0c2f
Opcode Fuzzy Hash: ce61431aee6eb7118d87e1e1ec8a98ed3975c2b265884a602b775f7f9493a468
Instruction Fuzzy Hash: 3F218072610118BFEB119F94DC85FBB3BAEFF89750F118128F9049B190C671DD5287A0

Function 005A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005A4A5C
SetErrorMode.KERNEL32(00000000,?,?,005CCC08), ref: 005A4AD0

Strings

%lu, xrefs: 005A4A6F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9392da659cbdc20a778cb8564f4ffa9b610c20769ac16ed14869d103fa92bd9
Instruction ID: 9ba51ccc538f6fda20655ccf3bf6947921e8ea23a6f84c28cf00af5b7efc7128
Opcode Fuzzy Hash: e9392da659cbdc20a778cb8564f4ffa9b610c20769ac16ed14869d103fa92bd9
Instruction Fuzzy Hash: A0312D75A00109AFDB10DF94C885EAA7BB9FF49308F1480A5E509DB252D771ED45CB61

Function 005C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005C4271

Strings

msctls_trackbar32, xrefs: 005C4226

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2f13c74a6faae57d14b698a16cc15daafbec0e7e6e81ce480fe780a9c0f823de
Instruction ID: 81347761612471b1e2a655e591071da36648a7fc9a0d19ebdc02bf08a9d44d23
Opcode Fuzzy Hash: 2f13c74a6faae57d14b698a16cc15daafbec0e7e6e81ce480fe780a9c0f823de
Instruction Fuzzy Hash: 5511A331240248BEEF205E69CC46FAB3FACFF95B54F114518FA55E6090D671D851DB50

Function 00592F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Part of subcall function 00592DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00592DC5
Part of subcall function 00592DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00592DD6
Part of subcall function 00592DA7: GetCurrentThreadId.KERNEL32 ref: 00592DDD
Part of subcall function 00592DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00592DE4

GetFocus.USER32 ref: 00592F78

Part of subcall function 00592DEE: GetParent.USER32(00000000), ref: 00592DF9

GetClassNameW.USER32(?,?,00000100), ref: 00592FC3
EnumChildWindows.USER32(?,0059303B), ref: 00592FEB

Strings

%s%d, xrefs: 00592FFF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7498bf087034d871cff9d5dab7d88fec7e7d1d79f64c0d5d241bd2e21c0cc144
Instruction ID: 5c64e60e428fca8c9e235c99e3edb9b62cb36f1c657f24df24ba34a47cb43ceb
Opcode Fuzzy Hash: 7498bf087034d871cff9d5dab7d88fec7e7d1d79f64c0d5d241bd2e21c0cc144
Instruction Fuzzy Hash: FE118471600206ABCF14BF749C9DEED7F6ABFD4304F048079FA099B252DE70994A9B60

Function 005C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005C58EE
DrawMenuBar.USER32(?), ref: 005C58FD

Strings

0, xrefs: 005C588F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4749ed6c064bc7bbabdfd1e9378be5919d4ccda588ff099dbb32a3a14a6479e8
Instruction ID: acc4acd8fd3f37b3c3594f490723f5c933feb2b0fda9c4ca593b0cb65f7bbbbf
Opcode Fuzzy Hash: 4749ed6c064bc7bbabdfd1e9378be5919d4ccda588ff099dbb32a3a14a6479e8
Instruction Fuzzy Hash: 99015B31500218EFDB619F95DC48FAEBFB8FB85361F108499F849DA151EB309A94EF21

Function 0058D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0058D3BF
FreeLibrary.KERNEL32 ref: 0058D3E5

Strings

X64, xrefs: 0058D2A8
GetSystemWow64DirectoryW, xrefs: 0058D3B9

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7fcd8fce5420ade9fc93c8a7a8a05d0aedd5c742a848b0241c508d2727829a9f
Instruction ID: 9e300e8b74a2692419d09974dd922ad3d933a06be2eee7c7f92bef532e73b507
Opcode Fuzzy Hash: 7fcd8fce5420ade9fc93c8a7a8a05d0aedd5c742a848b0241c508d2727829a9f
Instruction Fuzzy Hash: F3F02035841A20AEC77126104C58EAA7FB0BF10B01BA84919EC0BFA184EA20CD4483F2

Function 0059007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d30e716f07b2c5dee5e764408270a29be6092cf147dc84f659bca32d15239b
Instruction ID: c83dc6b7220128ded7809eca5f3f895df2bb32ae2d9a85747000596312d5e228
Opcode Fuzzy Hash: 24d30e716f07b2c5dee5e764408270a29be6092cf147dc84f659bca32d15239b
Instruction Fuzzy Hash: 15C15B75A00216EFCF14CFA4C894AAEBBB5FF48714F209998E905EB291D731DD41DB90

Function 005B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005B3459
CoUninitialize.OLE32 ref: 005B3463
VariantInit.OLEAUT32(?), ref: 005B346E
VariantClear.OLEAUT32(?), ref: 005B371B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0547e3605a73e716f5e1b1377a2fe5a5fe4cff05de24429cceaa1afc73618fd5
Instruction ID: d354b1691a6aad9fca242d13eaa3275317ca8615392ef2baed9d91461cda1a55
Opcode Fuzzy Hash: 0547e3605a73e716f5e1b1377a2fe5a5fe4cff05de24429cceaa1afc73618fd5
Instruction Fuzzy Hash: 31A16B756046059FCB14DF28C489A6ABBE5FF8C714F048859F98AAB362DB30FE05CB51

Function 00590436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005CFC08,?), ref: 005905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005CFC08,?), ref: 00590608
CLSIDFromProgID.OLE32(?,?,00000000,005CCC40,000000FF,?,00000000,00000800,00000000,?,005CFC08,?), ref: 0059062D
_memcmp.LIBVCRUNTIME ref: 0059064E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 03e9b6cd61a601694fb6a6ad3f0ca0aff75da76f18c82a295a1cf815bd4d5efb
Instruction ID: b431cd1fff1231a6961e8770a918d8dc32ddbe2c6cd01b22c72190f210cb1ad2
Opcode Fuzzy Hash: 03e9b6cd61a601694fb6a6ad3f0ca0aff75da76f18c82a295a1cf815bd4d5efb
Instruction Fuzzy Hash: 8A81EB75A00109EFCF04DF94C984EEEBBB9FF89315F205558E516AB290DB71AE06CB60

Function 00571391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005714C0

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: db37488bca0c4dc98c651f7af1b9ee744529db9731009251b79e7715e327b921
Instruction ID: 020436e4b6ded235fe4404d16278c7cbf72a787f5b04c037ef5af29c1e729fec
Opcode Fuzzy Hash: db37488bca0c4dc98c651f7af1b9ee744529db9731009251b79e7715e327b921
Instruction Fuzzy Hash: 53417F75600D026BDF356BBCAC4AABE3EA6FF81370F148626F81DD3191EA3448417765

Function 005C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005C62E2
ScreenToClient.USER32(?,?), ref: 005C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005C6382

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e79bc6c3f5ca0601871c82506d72b49ff9799350e70ad6445ca6f27c7a579aac
Instruction ID: c1a5a64b4508164dbe56d5e0b9042bd7760108088e1df3b26789a0600bbed0a6
Opcode Fuzzy Hash: e79bc6c3f5ca0601871c82506d72b49ff9799350e70ad6445ca6f27c7a579aac
Instruction Fuzzy Hash: 88511B74A00649AFCF10DFA8D984EAE7BB6FB95760F10855DF8159B290D730EE81CB90

Function 005B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005B1AFD
WSAGetLastError.WSOCK32 ref: 005B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005B1B8A
WSAGetLastError.WSOCK32 ref: 005B1B94

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 793f796e7b7c4ccc44079f11a757496588a9a8b0979543ac600d3ee57c9f7002
Instruction ID: f20ed79146010cedf82243647c2f4b8b467443cdcd056c6398433cc249137a81
Opcode Fuzzy Hash: 793f796e7b7c4ccc44079f11a757496588a9a8b0979543ac600d3ee57c9f7002
Instruction Fuzzy Hash: 7541B074600601AFE720AF24C88AF667FE5BB84718F54844CFA1A9F3D2D772ED418B90

Function 0056B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f216da68e3eb26188c3db65238b7df6a6a89725f2200eaf00ab2a2654de8b473
Instruction ID: fdc84ae2840e816d15c0fc2a56f709b48d77b017a52b257b59e6dc373fdb905a
Opcode Fuzzy Hash: f216da68e3eb26188c3db65238b7df6a6a89725f2200eaf00ab2a2654de8b473
Instruction Fuzzy Hash: 7C412B75900714AFE724AF38CC45BAA7FEAFBC4711F10452AF546DB291D77199818780

Function 005A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005A5783
GetLastError.KERNEL32(?,00000000), ref: 005A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005A57FA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 661681ffe082f4863672373230d02e137404cf6fd2913f7392d5916faac844b6
Instruction ID: f136b16e5268793c35069dc8496edfbf21d7f9ac4f4a6162944506ece2c2b4e2
Opcode Fuzzy Hash: 661681ffe082f4863672373230d02e137404cf6fd2913f7392d5916faac844b6
Instruction Fuzzy Hash: 1841F839600A15DFCB25DF15C448A1DBFE1BF99320F188488E84A6B362DB34ED009B91

Function 0056D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00556D71,00000000,00000000,005582D9,?,005582D9,?,00000001,00556D71,?,00000001,005582D9,005582D9), ref: 0056D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0056D9AB
__freea.LIBCMT ref: 0056D9B4

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3b4e5cfff15af5bbccc99961fb47d3523ba25fb12212aeb9c756a903c6704d26
Instruction ID: 1445b772efd183fa1e0ffe1d94cc7653a73d1cb80b0c6303a73583e9ee6d2e66
Opcode Fuzzy Hash: 3b4e5cfff15af5bbccc99961fb47d3523ba25fb12212aeb9c756a903c6704d26
Instruction Fuzzy Hash: A9319A72A0020AABDB249F65DC49EAF7FB5FB41750B054569FC08D7290EB35CD54CBA0

Function 005C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005C5352
GetWindowLongW.USER32(?,000000F0), ref: 005C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005C53A8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e259c1fae6f0f03bb0ee131cddd34d222292175e152677a9bead061aa0302b1c
Instruction ID: 825ed3d4c37ed9611bbc84b2776b9946a3063c10a6373d2e44db7d2e25ee2789
Opcode Fuzzy Hash: e259c1fae6f0f03bb0ee131cddd34d222292175e152677a9bead061aa0302b1c
Instruction Fuzzy Hash: 5431D430A55A88AFEB309FD4CC15FE93F65BB05B90F944909FA10961E1E7B4B9C09B41

Function 0059AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0059ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0059AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0059AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0059ACC6

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8c114579c1251ed9e6f345969a20eae6054985c60fc44b42b297de668ced059d
Instruction ID: 4fc555b56e0e24884c2b60c31b7a90547ad7c049b09a4e3086b4067690ec3d2d
Opcode Fuzzy Hash: 8c114579c1251ed9e6f345969a20eae6054985c60fc44b42b297de668ced059d
Instruction Fuzzy Hash: 4A310430A00619AFFF35CB698C08BFA7FA5BB89311F08461AF4859A1D1C3758D8597F2

Function 005C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005C769A
GetWindowRect.USER32(?,?), ref: 005C7710
PtInRect.USER32(?,?,005C8B89), ref: 005C7720
MessageBeep.USER32(00000000), ref: 005C778C

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2be2ac90dc633e73207482a31e72b4191e9d9af68c533478a5da0ff3ff77f05b
Instruction ID: b1126bc87aff012d8c0f4550a8e0e18501e211a1af67374f068dbc96713e7f22
Opcode Fuzzy Hash: 2be2ac90dc633e73207482a31e72b4191e9d9af68c533478a5da0ff3ff77f05b
Instruction Fuzzy Hash: 58415A34A0521D9FCB11CFA8C894FA9BBF5FB4D314F1941ADE9149B661C730A942CF90

Function 005C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005C16EB

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

GetCaretPos.USER32(?), ref: 005C16FF
ClientToScreen.USER32(00000000,?), ref: 005C174C
GetForegroundWindow.USER32 ref: 005C1752

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9d1eb7e2f2afe5247ef5a8628178abd6a19e1f93f89b52b6eccb11d7fdd8ffb2
Instruction ID: d487a431111dc023bb84b0c2067822e08e6455977034935667bd4ca5c1c32ae0
Opcode Fuzzy Hash: 9d1eb7e2f2afe5247ef5a8628178abd6a19e1f93f89b52b6eccb11d7fdd8ffb2
Instruction Fuzzy Hash: 28311D75D00549AFCB04EFA9C885DAEBBF9FF89304B5480A9E415E7212D6319E45CFA0

Function 0059D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059D501
Process32FirstW.KERNEL32(00000000,?), ref: 0059D50F
Process32NextW.KERNEL32(00000000,?), ref: 0059D52F
CloseHandle.KERNEL32(00000000), ref: 0059D5DC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 829b3d98b0d657f8895e86f48bc947588871e9cc2b28c3e64dc79747c9b94041
Instruction ID: 5baae22b1b1d4293fc8985230f9ebd25e08b7a8743e3ef32d1a266e212e5a6ce
Opcode Fuzzy Hash: 829b3d98b0d657f8895e86f48bc947588871e9cc2b28c3e64dc79747c9b94041
Instruction Fuzzy Hash: 18317C721082019FD701EF64C885AAFBFF8BFD9354F14092DF585861A1EB719949CBA2

Function 005C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

GetCursorPos.USER32(?), ref: 005C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00587711,?,?,?,?,?), ref: 005C9016
GetCursorPos.USER32(?), ref: 005C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00587711,?,?,?), ref: 005C9094

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: abf9fc249a256d14e366c661c0084d9b58720f76e5f620a9570fa61a9ffa305c
Instruction ID: cfa09badf0576a254d402ab5513188abb69e6aa642fef65f04eb36cfe8eb4e64
Opcode Fuzzy Hash: abf9fc249a256d14e366c661c0084d9b58720f76e5f620a9570fa61a9ffa305c
Instruction Fuzzy Hash: 71216D35600018EFDB258F94C85DFEA7FBAFB8A350F144059F9055B261C7319990EB60

Function 0059D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005CCB68), ref: 0059D2FB
GetLastError.KERNEL32 ref: 0059D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0059D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005CCB68), ref: 0059D376

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1a4dfa6631a90a3b7e2e22fb7188a9e59ce53d1324a85c139475daf56bc98848
Instruction ID: bc85206f5852fd707b24c1f0cd4d1a07d94162fdad7875bfd755688cd0a3e30a
Opcode Fuzzy Hash: 1a4dfa6631a90a3b7e2e22fb7188a9e59ce53d1324a85c139475daf56bc98848
Instruction Fuzzy Hash: 77218D745082029FCB00DF68C8858AABFF4BE96365F504E1DF499C32A1D730994ACBA3

Function 00591571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00591014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0059102A
Part of subcall function 00591014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00591036
Part of subcall function 00591014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591045
Part of subcall function 00591014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0059104C
Part of subcall function 00591014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005915BE
_memcmp.LIBVCRUNTIME ref: 005915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00591617
HeapFree.KERNEL32(00000000), ref: 0059161E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2325aad4cbe993b8bff76d7e36981dc8c19d1b6549ab030b12df60e7910ced4f
Instruction ID: 40d383346914911b0efb17c3ca4e1d944d95566f732cf96b2dd1f604b1228335
Opcode Fuzzy Hash: 2325aad4cbe993b8bff76d7e36981dc8c19d1b6549ab030b12df60e7910ced4f
Instruction Fuzzy Hash: BD219031E4051AEFDF10DFA4CA49BEEBBB8FF44344F094459E445AB241D730AA05DB54

Function 005C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005C2840

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: de6a21ec72bb84af3926a648d8cc2746775800e844ca176857a4bd7a806d1a79
Instruction ID: dab5b5619aee1d519ff1e9ee66a0551126ed42a1d80b79d09b1c4a7265eace56
Opcode Fuzzy Hash: de6a21ec72bb84af3926a648d8cc2746775800e844ca176857a4bd7a806d1a79
Instruction Fuzzy Hash: 4C219D35208611AFD7149B64C895FAA7FA5FF85324F14815CF42A8B6A2CB75EC82CB90

Function 005978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00598D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?), ref: 00598D8C
Part of subcall function 00598D7D: lstrcpyW.KERNEL32(00000000,?,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00598DB2
Part of subcall function 00598D7D: lstrcmpiW.KERNEL32(00000000,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?), ref: 00598DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597923
lstrcpyW.KERNEL32(00000000,?,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597984

Strings

cdecl, xrefs: 0059797B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c4cba26180abe5941420279cf741488bda5b58ff64339f08e4b6496cadee58ec
Instruction ID: 4cf22cfbfb0800b8c2e7b5c7b542a7fc22749c212b4516ba687e2d70bd95c240
Opcode Fuzzy Hash: c4cba26180abe5941420279cf741488bda5b58ff64339f08e4b6496cadee58ec
Instruction Fuzzy Hash: 7B11063A200706AFCF155F39D848E7A7BA9FF99350B10402BF906CB264EB319811D791

Function 005C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005AB7AD,00000000), ref: 005C7D6B

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ed6e26dca059045cdca78e91d594acc2a2eadafce1eca4148d689e52dbe84362
Instruction ID: 4b3d1024d5bdcee9e66ebbb8f8bdaa7c0f0913768a3a5b8cf91b639743fd4096
Opcode Fuzzy Hash: ed6e26dca059045cdca78e91d594acc2a2eadafce1eca4148d689e52dbe84362
Instruction Fuzzy Hash: 53118E31504619AFCB109F68DC04EA63FA5BF4A360F154728F83ACB6E0D7309950DB90

Function 005C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005C56BB
_wcslen.LIBCMT ref: 005C56CD
_wcslen.LIBCMT ref: 005C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005C5816

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 276925e52f456dd0c299066a55d5bc7e81e4a2279919b7dc8fb4d1a2108ae0ca
Instruction ID: f6ff43ad054dd7e4ea066aa5d10618790a5539ad181f006a0fff7f6196400dcb
Opcode Fuzzy Hash: 276925e52f456dd0c299066a55d5bc7e81e4a2279919b7dc8fb4d1a2108ae0ca
Instruction Fuzzy Hash: 5511DF316006099EDF209BE58C85FEE3FACFB11364B10496AF9059A081F770AAC4CBA0

Function 00561D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b9e597f3f9baf05735f1e5a5e79bdfa07bb8980706f1b101823b4a8ba62ef1
Instruction ID: a3750c921c7cfbbdd1db1cb677e5449dd0c8c6dcffd8bb21c0ce1c69be832031
Opcode Fuzzy Hash: 52b9e597f3f9baf05735f1e5a5e79bdfa07bb8980706f1b101823b4a8ba62ef1
Instruction Fuzzy Hash: 6E0178B2609E167EF62126786CC5F376E2DFF817B8F380725F525A22D2DA608C4091A4

Function 00591A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00591A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A8A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9872be7962d053dfdc87bf430941bcf6ef4cb88bd0368e43e0e37d7809bdda8d
Instruction ID: a2f5d6a6fe1d432e7a4935a6d3cc51bb25ee28a42910e644417405a88880c0ce
Opcode Fuzzy Hash: 9872be7962d053dfdc87bf430941bcf6ef4cb88bd0368e43e0e37d7809bdda8d
Instruction Fuzzy Hash: 7411FA3AD01229FFEF119BA5C985FADBB78FB04750F200091E605B7290D6716E50DB94

Function 0059E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0059E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0059E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0059E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0059E24D

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b749f7326d2c678bd113a009e55cb135a3bf9362b692127a645dea926eb20f72
Instruction ID: b60736ac5760e30148f4ad816ff342998c0a7820d7de8aeeeac3d4b6066cd30b
Opcode Fuzzy Hash: b749f7326d2c678bd113a009e55cb135a3bf9362b692127a645dea926eb20f72
Instruction Fuzzy Hash: 2211C876904254BFCB05DBA8EC0AE9F7FADEB46710F144255F914D7291D670890487A0

Function 0055D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0055CFF9,00000000,00000004,00000000), ref: 0055D218
GetLastError.KERNEL32 ref: 0055D224
__dosmaperr.LIBCMT ref: 0055D22B
ResumeThread.KERNEL32(00000000), ref: 0055D249

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b3afc60178f39c11f812443219df5b941e4b3d438db8b45ad9d89a2637d72fd9
Instruction ID: 7e29d524db63d6c4b78bccac5b8aaee5b53cb1bfb4bb41344cf3f6591aea6237
Opcode Fuzzy Hash: b3afc60178f39c11f812443219df5b941e4b3d438db8b45ad9d89a2637d72fd9
Instruction Fuzzy Hash: 9801C07B805605BBCB215BA6DC19AAA7E79FF81732F10021AFD25921D0DB708909D7B0

Function 0053600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
GetStockObject.GDI32(00000011), ref: 00536060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 68fce195ae2783d48af34254100d3eef1e3e0cac2607e66699d8608bd06567f4
Instruction ID: 001a278f35ca34b2a3f4c7ea28559109152c076cd9c8dcd7a92590e666c9841d
Opcode Fuzzy Hash: 68fce195ae2783d48af34254100d3eef1e3e0cac2607e66699d8608bd06567f4
Instruction Fuzzy Hash: 4511C072501508BFEF164FA4DC49EEABFA9FF193A4F044209FA0996010C732DC60EBA1

Function 00553B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00553B56

Part of subcall function 00553AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00553AD2
Part of subcall function 00553AA3: ___AdjustPointer.LIBCMT ref: 00553AED

_UnwindNestedFrames.LIBCMT ref: 00553B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00553B7C
CallCatchBlock.LIBVCRUNTIME ref: 00553BA4

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: ad7da77d0d125f7c3e5d1a005222f6169f649587d5db565105bf9e2e395b6e7f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0D012932100149BBDF125E95CC5AEEB3F69FF887A9F044016FE4896121C732E965DBA0

Function 00563073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005313C6,00000000,00000000,?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue), ref: 005630A5
GetLastError.KERNEL32(?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue,005D2290,FlsSetValue,00000000,00000364,?,00562E46), ref: 005630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue,005D2290,FlsSetValue,00000000), ref: 005630BF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 19b88dd303ecde39024debbbbd5523b638e5112eb46b5f65e929a7972a2558b6
Instruction ID: 9c696e588d6b11d73fad33f92416db277cbd0709c7507c6462460696e05d90f5
Opcode Fuzzy Hash: 19b88dd303ecde39024debbbbd5523b638e5112eb46b5f65e929a7972a2558b6
Instruction Fuzzy Hash: 6801F736341622ABCB314B79AC48E577F98FF15BB1B100620F909E7150D721D90DC7E0

Function 00597464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0059747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00597497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005974CA

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dcc9e06235c3aae856e502877bca2b8036eaa745cfeb1745f8787b85a005d087
Instruction ID: a4b505b62c20de2b2ae657598410ad182be79752ac3127498659e78bce596332
Opcode Fuzzy Hash: dcc9e06235c3aae856e502877bca2b8036eaa745cfeb1745f8787b85a005d087
Instruction Fuzzy Hash: 53117CB12157189FEF208F14DC08F927FBCFB04B00F10856AA62AD6152D770E908EB90

Function 0059B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B126

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f060161280a9a499871267e7a63279324e84fbe28c8863df296a7a1189d3917a
Instruction ID: 32b1fd4e634395bbf838f9ac35ba7347424aa58b294e92b757c50ecf18733475
Opcode Fuzzy Hash: f060161280a9a499871267e7a63279324e84fbe28c8863df296a7a1189d3917a
Instruction Fuzzy Hash: 70118B30C00A2CEBEF00AFE5EA68AEEBF78FF59310F014485D941B2181CB305650EB91

Function 005C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005C7E33
ScreenToClient.USER32(?,?), ref: 005C7E4B
ScreenToClient.USER32(?,?), ref: 005C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005C7E8A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fd664af59ede8a799e09e492a328a6e0cfab193147d4a55839e86b6b9d27e7c2
Instruction ID: f41bc61bcb3cbea4b2a4eb5e6cc1550a263eb0059bf79a8718f3306ea32b384f
Opcode Fuzzy Hash: fd664af59ede8a799e09e492a328a6e0cfab193147d4a55839e86b6b9d27e7c2
Instruction Fuzzy Hash: AB1143B9D0020AAFDB41CFA8C984AEEBBF9FB18310F505056E915E2610D735AA55DF90

Function 00592DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00592DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00592DD6
GetCurrentThreadId.KERNEL32 ref: 00592DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00592DE4

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 70e86a2e6a3b2003363c091cbccb781e9d900c65c3cf67adf953b66f3921f0b9
Instruction ID: 446ef5a1926071d5a8c1f640d1bfc08c396bcbb358d1f18224ba5ddb8e4218d6
Opcode Fuzzy Hash: 70e86a2e6a3b2003363c091cbccb781e9d900c65c3cf67adf953b66f3921f0b9
Instruction Fuzzy Hash: 8BE092B15017247FDB201B779C0DFEB3E6CFF62BA1F000015F10AD10809AA0C886D6B0

Function 005C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00549639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496A2
Part of subcall function 00549639: BeginPath.GDI32(?), ref: 005496B9
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005C8887
LineTo.GDI32(?,?,?), ref: 005C8894
EndPath.GDI32(?), ref: 005C88A4
StrokePath.GDI32(?), ref: 005C88B2

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5141190be306a056499a450ba1bf74b8d6dfdc94d70b5184e5b80ded4600a63d
Instruction ID: 4b4d9e9415f8f7ae2146ebc6f81218042e9a82521277b2dca6d7a6b52947bb6a
Opcode Fuzzy Hash: 5141190be306a056499a450ba1bf74b8d6dfdc94d70b5184e5b80ded4600a63d
Instruction Fuzzy Hash: E7F09436041618BAEB126F94AC0EFDE3F6AAF16310F088004FA01650E2C7B41525EBE9

Function 005498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005498CC
SetTextColor.GDI32(?,?), ref: 005498D6
SetBkMode.GDI32(?,00000001), ref: 005498E9
GetStockObject.GDI32(00000005), ref: 005498F1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 7120f10facfd9ac53f85e0597091fb6d7fcf5c7e688e7f32c2c89a88c334705e
Instruction ID: e7f1e831cf392cb4c88f656f6967fcf56a5b0ef4ad272c1ca580218891f66ba9
Opcode Fuzzy Hash: 7120f10facfd9ac53f85e0597091fb6d7fcf5c7e688e7f32c2c89a88c334705e
Instruction Fuzzy Hash: 8DE06531644644AEDB215B75BC09FD93F10BB26335F188219F6FE540E1C3718644EB10

Function 0059162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00591634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005911D9), ref: 0059163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005911D9), ref: 00591648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005911D9), ref: 0059164F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: afa4aabbc3f1f17c72c95916e7a7f4362170fc02c6620d85ecfa5e805cb7ce95
Instruction ID: 1bd17cefe92f8602ab589c6b7d7bf91eb36346c912cf0a17d00dc2d3619fd2c7
Opcode Fuzzy Hash: afa4aabbc3f1f17c72c95916e7a7f4362170fc02c6620d85ecfa5e805cb7ce95
Instruction Fuzzy Hash: CAE08671A01621DFDB201FA0AD0DF4A3F7CBF64791F184808F249D9080D6348449D754

Function 0058D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0058D858
GetDC.USER32(00000000), ref: 0058D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058D882
ReleaseDC.USER32(?), ref: 0058D8A3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 78234e4432b03b138572c24488b6d6902494e370f0f5fef8faf7e6a72f779bae
Instruction ID: d85ebfd2103f6bd73dd90b9bc5f11d1a881150d908abb5abdedd0723a8f65d8b
Opcode Fuzzy Hash: 78234e4432b03b138572c24488b6d6902494e370f0f5fef8faf7e6a72f779bae
Instruction Fuzzy Hash: 86E01AB4800605DFCB41AFA4D90CA6DBFB1FB18310F149409E84AF7250C7388946AF50

Function 0058D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0058D86C
GetDC.USER32(00000000), ref: 0058D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058D882
ReleaseDC.USER32(?), ref: 0058D8A3

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bdb05f9386c8d23f360e340cf9fa4a80c583de20603fda33c9894791ab410254
Instruction ID: ca0cfe6c3bef5a6ac563ceabd6bf9434c47a506f9a23e84e8f6080c18c47b6a5
Opcode Fuzzy Hash: bdb05f9386c8d23f360e340cf9fa4a80c583de20603fda33c9894791ab410254
Instruction Fuzzy Hash: 11E012B4800A00EFCB40AFA4D90CA6DBFB1BB18310F149408E84AE7250CB38994AAF50

Function 005A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005A4ED4

Strings

LPT, xrefs: 005A4DFB
*, xrefs: 005A4E10

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5b0f5b83b1d11f8081965fceef6863dd92bdbf338599bcdc3a895a38cc1d7c91
Instruction ID: cd4d2d4194ff320bc8cc5c73786e6badbf5a33d84e70ea8c6db83cde3c2a66fc
Opcode Fuzzy Hash: 5b0f5b83b1d11f8081965fceef6863dd92bdbf338599bcdc3a895a38cc1d7c91
Instruction Fuzzy Hash: 23913B75A002459FCB14DF98C484EAEBBF5BF89304F188099E80A9B362D775ED85CF91

Function 0055E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0055E30D

Strings

pow, xrefs: 0055E2E5, 0055E302

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8583a82e99765fa552fc49394b85b31b99590bc430637879bea9711c135bad83
Instruction ID: 4bca6d5c9d6f50df3a62a9ecb0f6435105a2603d01cfc83debc6fbb8cf55bc50
Opcode Fuzzy Hash: 8583a82e99765fa552fc49394b85b31b99590bc430637879bea9711c135bad83
Instruction Fuzzy Hash: 3651AC61A0C20692CB197724CD133793FA8FB54746F304D9BE8D1432A8EB318DCD9B46

Function 005B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0058569E,00000000,?,005CCC08,?,00000000,00000000), ref: 005B78DD

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

CharUpperBuffW.USER32(0058569E,00000000,?,005CCC08,00000000,?,00000000,00000000), ref: 005B783B

Strings

<s_, xrefs: 005B77C8

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s_
API String ID: 3544283678-771138486
Opcode ID: 0086d07b2283c54821409c76ce555140170f693bd9935de219223cc1a060f60d
Instruction ID: 34a84a98b4b33e4cde5e785b9900ed1c5198819439913a05dbb5ee4146d22b7a
Opcode Fuzzy Hash: 0086d07b2283c54821409c76ce555140170f693bd9935de219223cc1a060f60d
Instruction Fuzzy Hash: 05615B7691411EAACF04EBA4CC95DFDBB78BF98300F544529F642B7091EF346A09DBA0

Function 0054E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0054E1B1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 739d43eec8973a5e7b6ed6f18834b6356c7de441e6d088f064d729e742bdee62
Instruction ID: 0c02b40745e03b1efdcea3b1ba2925ed23101e62f8ed68757b57018154fc69de
Opcode Fuzzy Hash: 739d43eec8973a5e7b6ed6f18834b6356c7de441e6d088f064d729e742bdee62
Instruction Fuzzy Hash: 7C512335608286DFDB15EF68C4866FA7FB4FF65314F244055EC91AB280D6349D42CB90

Function 0054F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0054F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0054F2BB

Strings

@, xrefs: 0054F2AF

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e0d2706ba88539b4d35fa2dd6a5189f4a100435e64dc74eeef46568c2ddfbb93
Instruction ID: 6f20741d96beacefce56ef81ec31a4e12653fa1a3c54feb5a3d50534fc7b35f7
Opcode Fuzzy Hash: e0d2706ba88539b4d35fa2dd6a5189f4a100435e64dc74eeef46568c2ddfbb93
Instruction Fuzzy Hash: 845138714087499BD320AF10DC8ABAFBBF8FBD8300F81885DF1D951195EB708629CB66

Function 005B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005B57E0
_wcslen.LIBCMT ref: 005B57EC

Strings

CALLARGARRAY, xrefs: 005B57E6, 005B57EB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ae1465a580e75a365a36977a792fb31ce53b021b236a60d5bc61fe155db6b37b
Instruction ID: 46b59e1c51b21d710e01bc33e63c90fbe55fc8bd647d4eae2635d49b0e515d29
Opcode Fuzzy Hash: ae1465a580e75a365a36977a792fb31ce53b021b236a60d5bc61fe155db6b37b
Instruction Fuzzy Hash: A2416F71A0010A9FCF18DFA9C885AEEBFB5FF99324F244069F505A7251E774AD81CB90

Function 005AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005AD13A

Strings

|, xrefs: 005AD10B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: cdf55b86b67b45ea9d6afeda51fc81b2d079944ab1effe05d35f331766002216
Instruction ID: 4fd97d21e0d26773caf53205f9b4abaf1b3a989b109f1657fff2ebdc0878438c
Opcode Fuzzy Hash: cdf55b86b67b45ea9d6afeda51fc81b2d079944ab1effe05d35f331766002216
Instruction Fuzzy Hash: 97311D71D0021AABCF15EFA4CC89AEFBFB9FF49300F104019F815A6165D735AA56DBA0

Function 005C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005C365C

Strings

static, xrefs: 005C35BC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8909b427aafd114a5966df3af0b54fba06f86fa8e5c1be8402e1195e8175a925
Instruction ID: f3256e1589754406fffadd86e20b50d6e444ed868fbd88dbf66b6e713c607dd3
Opcode Fuzzy Hash: 8909b427aafd114a5966df3af0b54fba06f86fa8e5c1be8402e1195e8175a925
Instruction Fuzzy Hash: E1318171110608AEDB10DF68DC85FFB7BA9FF88714F10961DF95597280DA31AD81D760

Function 005C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005C4634

Strings

', xrefs: 005C458E

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3b1db8886ef49b156b2c50a48a6ab1da09ec9f8743b8e57049e859af5bc2e0a9
Instruction ID: 165b37b5d9415c14f988bba5614adc791dc59d284934ff34f2a2ea386c14e8d7
Opcode Fuzzy Hash: 3b1db8886ef49b156b2c50a48a6ab1da09ec9f8743b8e57049e859af5bc2e0a9
Instruction Fuzzy Hash: BA311674A0120A9FDB14CFA9C9A0FEABBB5FF49300F14506AE905AB395D770A941CF90

Function 005C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C3287

Strings

Combobox, xrefs: 005C3249

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8978362eb3fb8e9eaba6819473d94a4298f5cdda50ae3a47b2fdb3fe4a6df789
Instruction ID: 6789e658c40610b707596f2980520a6214b18ac4bf512a68e63a08b27f5f1aee
Opcode Fuzzy Hash: 8978362eb3fb8e9eaba6819473d94a4298f5cdda50ae3a47b2fdb3fe4a6df789
Instruction Fuzzy Hash: E611D07520020D7FEF219E94DC84FBB3F6AFB98364F108128F9189B290D6319D5187A0

Function 005C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0053600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
Part of subcall function 0053600E: GetStockObject.GDI32(00000011), ref: 00536060
Part of subcall function 0053600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

GetWindowRect.USER32(00000000,?), ref: 005C377A
GetSysColor.USER32(00000012), ref: 005C3794

Strings

static, xrefs: 005C3757

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 44815f13f8784333a14b6335ec252782a029f39b801ed8eab3d333c13a67a2ab
Instruction ID: 018a6761af0ae96a949ff2a9871bb2fc669a8366dea11d070df52e444f0164ab
Opcode Fuzzy Hash: 44815f13f8784333a14b6335ec252782a029f39b801ed8eab3d333c13a67a2ab
Instruction Fuzzy Hash: 7E1129B261020AAFDB01DFA8CC4AEEA7BF8FB09314F004918F955E2250E775E9519B50

Function 005ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005ACDA6

Strings

<local>, xrefs: 005ACD66

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 80e77253870b49d8970bb85409a91fe74e6720443146fb69014cb3613be99a40
Instruction ID: 1a76c02ea20a43d893b2bbb57af2fcb48345073b8c45d30753fa2890db3ce27d
Opcode Fuzzy Hash: 80e77253870b49d8970bb85409a91fe74e6720443146fb69014cb3613be99a40
Instruction Fuzzy Hash: 6211C271205675BAD7384B668C49EFBBEADFF237A4F00462AB11983180D7749844D6F0

Function 005C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005C34BA

Strings

edit, xrefs: 005C348F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e237d8c31423031ab9caecbd6a4b907ae20d1c44baba1ae42e0444c770d2b892
Instruction ID: ee1ace5c18d3485a964d14db99909bd4075b8340ebe10828e1312bd784e8715f
Opcode Fuzzy Hash: e237d8c31423031ab9caecbd6a4b907ae20d1c44baba1ae42e0444c770d2b892
Instruction Fuzzy Hash: 23119D71100108AEEF154EA4DC88FAB3F6AFB15374F508728F964971D0C731DC519B50

Function 00596C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

CharUpperBuffW.USER32(?,?,?), ref: 00596CB6
_wcslen.LIBCMT ref: 00596CC2

Strings

STOP, xrefs: 00596CBC, 00596CC1

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6584e3bfab00180719424305cf3f5067e1ec27b68aecd7b1ea83a4dc08b3ce3
Instruction ID: 05ab8a9eb2e3448bec9a2cb138361ef950831ab011407eb8ef08d2ee59fba7f4
Opcode Fuzzy Hash: e6584e3bfab00180719424305cf3f5067e1ec27b68aecd7b1ea83a4dc08b3ce3
Instruction Fuzzy Hash: 540104326005278ACF219FBDDC858BF7FB4FAA0710B400924F86292190EB31DC48C650

Function 00591CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00591D4C

Strings

ListBox, xrefs: 00591D16
ComboBox, xrefs: 00591CEB

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5a4f9025d86b9ef9ef9165d74dd21445503529e8c366bc6b0158a1f1e9034811
Instruction ID: db6a064cf9642a652b9e81032c6bba8213e28011166b29c205149b4566667cca
Opcode Fuzzy Hash: 5a4f9025d86b9ef9ef9165d74dd21445503529e8c366bc6b0158a1f1e9034811
Instruction Fuzzy Hash: C301D87160162AAB8F08EBA4CD59CFE7F68FF96350F040919F822572C1EA705908C660

Function 00591BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00591C46

Strings

ListBox, xrefs: 00591C10
ComboBox, xrefs: 00591BE5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e09d52a03b1eedc869537bb262d71dffc58fc4057b1d5cf6e687193f17c28d8b
Instruction ID: c24992ac8fe2054c4120d296048188e8d21301d4ec9ea31f2590339e4c929660
Opcode Fuzzy Hash: e09d52a03b1eedc869537bb262d71dffc58fc4057b1d5cf6e687193f17c28d8b
Instruction Fuzzy Hash: BE01F7B168451A6ACF05EB90CA59DFF7FA8BF91340F100019F50667281EA609E08C6B5

Function 00591C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00591CC8

Strings

ListBox, xrefs: 00591C94
ComboBox, xrefs: 00591C69

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 28cee96f4fbded15116aa7665bb08b25e46f4b38bd4644b2a93e7c5e095a8332
Instruction ID: 86599b36c11b45f02e096130fe1e1733768748fc06de046de73f8ba8a77f0d45
Opcode Fuzzy Hash: 28cee96f4fbded15116aa7665bb08b25e46f4b38bd4644b2a93e7c5e095a8332
Instruction Fuzzy Hash: 1101D6B568052A67CF05EBA4CA06EFE7FA8BF51380F540415B902B7281EAA09F08C675

Function 0054A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0054A529

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Strings

,%`, xrefs: 0054A509
3yX, xrefs: 0054A545, 0054A54D, 0054A552

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%`$3yX
API String ID: 2551934079-3373406087
Opcode ID: 1a4bd61d7ffd5443474d6c36a4bdad6abafc3226a9dc936e95c2d4102ca41bcf
Instruction ID: 8c3d7f6ee14af8074cab041c13f8cb5db7b7342c50a539c1be13bb9d2accb833
Opcode Fuzzy Hash: 1a4bd61d7ffd5443474d6c36a4bdad6abafc3226a9dc936e95c2d4102ca41bcf
Instruction Fuzzy Hash: 010176317806128BCE05F768ED2FAEE3F15FB86714F400029F9061B1C3EE509D058A9B

Function 00591D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00591DD3

Strings

ListBox, xrefs: 00591DA0
ComboBox, xrefs: 00591D75

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7dae722532faf98f812e38c8aa676260f06c5e38a5a5a701a43bb49cbb70ea5e
Instruction ID: 0e65d6f921608faf35724697511cdfc168de935385135d5c971ce4f17ddae500
Opcode Fuzzy Hash: 7dae722532faf98f812e38c8aa676260f06c5e38a5a5a701a43bb49cbb70ea5e
Instruction Fuzzy Hash: 49F0A4B5A5172A66DF04E7A4CD5AEFE7F68BF81350F040915B922A72C1EAA0590882A4

Function 005C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00603018,0060305C), ref: 005C81BF
CloseHandle.KERNEL32 ref: 005C81D1

Strings

\0`, xrefs: 005C818A

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0`
API String ID: 3712363035-135485805
Opcode ID: 19dddb6ffbe114b536faa5c70606ada337140c42cf35a3bac2bb35404398a9ce
Instruction ID: 06c3af335e8dfe039895c1689dbedb28b1ca17b2462e01a6302854177455dee2
Opcode Fuzzy Hash: 19dddb6ffbe114b536faa5c70606ada337140c42cf35a3bac2bb35404398a9ce
Instruction Fuzzy Hash: 18F05EF1681320BEF3206B61AC49FB73E5DEB15B56F004861FF09D52A2D6798A0493F8

Function 005B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B7493
_wcslen.LIBCMT ref: 005B74B9

Strings

3, 3, 16, 1, xrefs: 005B7483

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f182dcdd15c7789b1620cfa26d2e2cf4e9a66065c638f5222240e8fc10d9a20e
Instruction ID: 000a2f452e515db7c2f87f50c7e3fdc26d14e5efa546a7ba515f0c96040bf38d
Opcode Fuzzy Hash: f182dcdd15c7789b1620cfa26d2e2cf4e9a66065c638f5222240e8fc10d9a20e
Instruction Fuzzy Hash: 80E02B0260432520973112799CC69BF5E99FFCD752710182BFD81C2266EA949DD193A0

Function 00590B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00590B23

Strings

Error allocating memory., xrefs: 00590B1C
AutoIt, xrefs: 00590B17

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 68bc8a12a68de13058279c7f54a0e6c3f8db3f4e35b06d2bd126476276a02c49
Instruction ID: a69e622200ff2f4c8bea8aa48e133dc7b37d43e9c9cbfc1a92f9b267bea47e4b
Opcode Fuzzy Hash: 68bc8a12a68de13058279c7f54a0e6c3f8db3f4e35b06d2bd126476276a02c49
Instruction Fuzzy Hash: 23E0D8312443093ED21436947C07FCD7FC8FF05B15F10042EFB9C554C38AE164A056A9

Function 00550D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0054F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00550D71,?,?,?,0053100A), ref: 0054F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0053100A), ref: 00550D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0053100A), ref: 00550D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00550D7F

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cfae2a27e4faba07165a01a3f2fe9acacde0f69e62b83640962180b4d0686946
Instruction ID: b2dfced31298fa5b467f622f31cb87f34eb4b2be0509022f0601c18083f09062
Opcode Fuzzy Hash: cfae2a27e4faba07165a01a3f2fe9acacde0f69e62b83640962180b4d0686946
Instruction Fuzzy Hash: 2BE06D742007418FD7609FB8D418B467FF5FF10745F00592EE886C6691DBB5E4488B91

Function 0054E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0054E3D5

Strings

8%`, xrefs: 0054E3CA
0%`, xrefs: 0054E3B5

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%`$8%`
API String ID: 1385522511-1530242074
Opcode ID: b58ef53bc709c8c95faa1c73b801b143398cde1972a7199c5a552c1945fc1af9
Instruction ID: e5e7a6104a0212ab815819bfeaaaba188d0692b7fc4fdc8aff0d0e27ef13c044
Opcode Fuzzy Hash: b58ef53bc709c8c95faa1c73b801b143398cde1972a7199c5a552c1945fc1af9
Instruction Fuzzy Hash: BEE08631494912CBC70B9F18FC7EECA3B57BF45324F5029A5F512871D19B703841865D

Function 005A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005A3044

Strings

aut, xrefs: 005A3038

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c62a4c3001f011156ca3b33ebdbced53caa1bf04321cce2a58a143b09c6cfb2a
Instruction ID: 2c4c7a34fc8318370a63744659fedc094e006bec9b504924a15fed8d3c84769e
Opcode Fuzzy Hash: c62a4c3001f011156ca3b33ebdbced53caa1bf04321cce2a58a143b09c6cfb2a
Instruction Fuzzy Hash: 12D05E76500328ABDA20E7A4AC0EFDB3E6CDB04750F0002A1B699E2091DAB49988CAD0

Function 0058D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0058D220

Strings

X64, xrefs: 0058D2A8
%.3d, xrefs: 0058D22B

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8c59448eded8b78442480dd11967c73182b3d16050a86ec5400ede399c244808
Instruction ID: f8a5a1d0dad009a0837f231f7d842235f13130c8df73898688961aafe6e6d755
Opcode Fuzzy Hash: 8c59448eded8b78442480dd11967c73182b3d16050a86ec5400ede399c244808
Instruction Fuzzy Hash: 6ED0EC79808109EACA90A6D098498B9BBBDBB18301F508852FD0BA2080E628C5086771

Function 005C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005C236C
PostMessageW.USER32(00000000), ref: 005C2373

Part of subcall function 0059E97B: Sleep.KERNEL32 ref: 0059E9F3

Strings

Shell_TrayWnd, xrefs: 005C2365

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f7d698ca557f473c8f3c2bd7c3601c38b9301f42bf6aa4386b15ab3a28ee939e
Instruction ID: 7fd1603b491c900356734bb66661ad9f424868dff67708b86c900f8d0e382c9e
Opcode Fuzzy Hash: f7d698ca557f473c8f3c2bd7c3601c38b9301f42bf6aa4386b15ab3a28ee939e
Instruction Fuzzy Hash: 7DD0C9327C17147AE664B7719C0FFC66E14AB55B14F004916B74AEA1D0C9A4A8458A54

Function 005C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005C233F

Part of subcall function 0059E97B: Sleep.KERNEL32 ref: 0059E9F3

Strings

Shell_TrayWnd, xrefs: 005C2325

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 940df38ddbcd188a1696a1383fb359f2141a262e33465e908089cb2680233af7
Instruction ID: 79b48d756e5b9287e1d5769631710e61afadf63e6787175ceeb3dc7bd1784614
Opcode Fuzzy Hash: 940df38ddbcd188a1696a1383fb359f2141a262e33465e908089cb2680233af7
Instruction Fuzzy Hash: 65D0A932780300BAE664B3309C0FFC66E04AB10B00F000906B30AAA0D0C8A4A8048A40

Function 0056BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0056BE93
GetLastError.KERNEL32 ref: 0056BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056BEFC

Memory Dump Source

Source File: 00000000.00000002.3305861512.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.3305829379.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3305931536.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306011306.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306034040.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 911b0af080adaa3773328bbe121bb14bf8667c12830092d9c0a33dca7e5b6156
Instruction ID: 83625ecd3fbd831d4b211fc14405fb6c26d1c60016a1cee96030cacacb154012
Opcode Fuzzy Hash: 911b0af080adaa3773328bbe121bb14bf8667c12830092d9c0a33dca7e5b6156
Instruction Fuzzy Hash: C3410635600206AFEF218FA5CC98ABABFA9FF51310F144169F959D71B1DB318D81DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-268956703&timestamp=1727451672597 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=517=RHXJVC4If9b-QCeiogG9v9JxDjwWKzDVWs0P13uxiZehPJm-wBLW4gWAb3WueSqSZ3EOE9UyBpEft63_BIS8X5IbeOl3DazO4Sb2ipSJTiy1Un3LlGeHMetebZk74_SI3ElkUDexuF4nkJhu2atlpGNgjLCrJk86OP-NBeGqm4vFwZdM_g
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Fkdu+bNZOm46ZGH&MD=vvCwg5c6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Fkdu+bNZOm46ZGH&MD=vvCwg5c6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Windows Analysis Report
file.exe

Function 005342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00572BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0059DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 00532CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0057065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0053344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00532B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00533170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre