Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523044
MD5:	27ca789e11c7fcd10b8932bf3a42f574
SHA1:	d7e057e8c14fe9aca3a8ee1e480227f4666d2c29
SHA256:	4fb989bb07953df353ad6ed3d97353adbf9d167892dffffbf99ac681f5509091
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5668 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 27CA789E11C7FCD10B8932BF3A42F574)

taskkill.exe (PID: 816 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 4340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7236 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 507sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_78.12.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_78.12.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.1272996732.00000000010F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_85.12.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_78.12.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_78.12.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_85.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_85.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_78.12.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_78.12.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_78.12.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_78.12.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_78.12.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_85.12.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_78.12.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_78.12.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_78.12.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_85.12.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_78.12.dr	String found in binary or memory: https://www.google.com
Source: chromecache_78.12.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_85.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_78.12.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_78.12.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.1273062580.0000000001120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_78.12.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.7:49756 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EFED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EEAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F19576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba905857-b
Source: file.exe, 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1100ee29-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_691b91f2-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ac12b141-a

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EEE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E88060	0_2_00E88060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2046	0_2_00EF2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE8298	0_2_00EE8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBE4FF	0_2_00EBE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB676B	0_2_00EB676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F14873	0_2_00F14873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CAF0	0_2_00E8CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EACAA0	0_2_00EACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9CC39	0_2_00E9CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB6DD9	0_2_00EB6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D063	0_2_00E9D063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E891C0	0_2_00E891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9B119	0_2_00E9B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA1394	0_2_00EA1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA1706	0_2_00EA1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA781B	0_2_00EA781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA19B0	0_2_00EA19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9997D	0_2_00E9997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87920	0_2_00E87920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA7A4A	0_2_00EA7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA7CA7	0_2_00EA7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA1C77	0_2_00EA1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9EEE	0_2_00EB9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0BE44	0_2_00F0BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA1F32	0_2_00EA1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EA0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E9F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E89CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@36/30@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF37B5 GetLastError,FormatMessageW,

0_2_00EF37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EE10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EE16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EF51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EF648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E842A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0A76 push ecx; ret

0_2_00EA0A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E9F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F11C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95785

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EEDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBC2A2 FindFirstFileExW,	0_2_00EBC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF68EE FindFirstFileW,FindClose,	0_2_00EF68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EF698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EF9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EF5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFEAA2 BlockInput,

0_2_00EFEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EB2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00EA4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EE0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EB2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EA083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA09D5 SetUnhandledExceptionFilter,	0_2_00EA09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EC2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEB226 SendInput,keybd_event,

0_2_00EEB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F022DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EE0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EE1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0698 cpuid

0_2_00EA0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EF8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDD27A GetUserNameW,

0_2_00EDD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00EBB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F01204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F01806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs	Win32.Trojan.Ludicrouz
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	216.58.206.78	true	false	unknown
www3.l.google.com	142.250.181.238	true	false	unknown
play.google.com	172.217.16.142	true	false	unknown
www.google.com	142.250.186.132	true	false	unknown
youtube.com	142.250.185.78	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_78.12.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_78.12.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_85.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_78.12.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_85.12.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_78.12.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_78.12.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_78.12.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_78.12.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_78.12.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	youtube.com	United States	15169	GOOGLEUS	false
142.250.181.238	www3.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	unknown	United States	15169	GOOGLEUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false
172.217.16.142	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523044
Start date and time:	2024-10-01 00:46:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@36/30@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 39 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 216.58.206.78, 66.102.1.84, 34.104.35.123, 172.217.16.195, 142.250.186.99, 142.250.186.138, 216.58.206.74, 142.250.185.202, 172.217.16.202, 142.250.184.202, 142.250.185.138, 142.250.186.74, 142.250.184.234, 142.250.185.170, 142.250.185.234, 142.250.185.106, 142.250.186.106, 172.217.23.106, 142.250.185.74, 142.250.181.234, 172.217.18.10, 172.217.16.138, 142.250.186.42, 142.250.186.170, 216.58.206.42, 199.232.210.172, 216.58.206.67, 108.177.15.84, 172.217.18.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Unknown	Browse
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://azgop.org/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
youtube-ui.l.google.com	file.exe	Get hash	malicious	Unknown	Browse	142.250.186.46
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.238
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.142
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.142
	file.exe	Get hash	malicious	Unknown	Browse	216.58.206.78
	file.exe	Get hash	malicious	Unknown	Browse	216.58.206.78
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.238
	file.exe	Get hash	malicious	Unknown	Browse	172.217.16.206
	file.exe	Get hash	malicious	Unknown	Browse	142.250.74.206
	file.exe	Get hash	malicious	Unknown	Browse	142.250.184.206

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://azgop.org/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4071
Entropy (8bit):	5.363129487888587
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLalw:lpT+qXW1PFcn7tGnyWY1Tk
MD5:	5DE1D7CDC36C4E5F382A84353107425E
SHA1:	AD4BEF49EFF0A9F7EDCED3EF0F5F6B9DE229EB37
SHA-256:	3496137475D197D8FC520B396AA59445D302F0A41C9377A0A3F4523C0EF29DE6
SHA-512:	841D824896F4FCAF5C23BC6CA64064732EBDF392D1ED854E870124D18F3A080AE0B4F63B6FCAF9E913CB3AF70A1832EF693E1F2C25B0F288231A32164557F3C0
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697906
Entropy (8bit):	5.5934290978859496
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5em3bL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qemD+Nu
MD5:	61632AEF1EA70545E53C29AAECC3E178
SHA1:	C57350B6801E079DBE60E33C76A5FEC186C2E639
SHA-256:	D4E7EE7A1B43DA6177504AF736D09AD589F8278A814C6E95FB5C54ABA2B8A3EE
SHA-512:	EB5BFEEB5AF44D4B9BAE4611D363BED07601F0871E4B53B4FE4EA8995DA6A43D21E30782010EC3C3A0DC7289557B942CC32850C7068BE818453339279328E08E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	604377
Entropy (8bit):	5.790228291888412
Encrypted:	false
SSDEEP:	3072:l0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAQ:llgNmwwdnOsF98oNGuQRAYqXsI1x
MD5:	286F2996F0ABEBBEBF95F7F14685F8CF
SHA1:	8F1D6ECFE1669D6503BA2D78352EB914AF58571A
SHA-256:	70E7837B2A17751C0A61DD21B49975DC08D0939A33201D313D0BDF64E6851F9B
SHA-512:	8B51E9CB3B075E0203140CD567BB282719CDF10A929482C3804D9873CD5A81E29C3D9546CA0FB93D7B61FCD88C128903CFBDD79DFF34941C177EB4A9B1C4995D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGJ4o321hY8zfkESxEyT6FjvlBr8A/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x1ce1fc40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEH86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFSx2KuJtQynzb5elc5wFf5a1q72w/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579781734808154
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	27ca789e11c7fcd10b8932bf3a42f574
SHA1:	d7e057e8c14fe9aca3a8ee1e480227f4666d2c29
SHA256:	4fb989bb07953df353ad6ed3d97353adbf9d167892dffffbf99ac681f5509091
SHA512:	9129130f373ea8d76894bd58982238e54b7ac7948f0e683bb85013edaa7404c014f38b24f0726776b6610dda7ae030e0491bbe996bfe6b4afd439925dc6dd0ef
SSDEEP:	12288:8qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga9Tq:8qDEvCTbMWu7rQYlBQcBiT6rprG8a5q
TLSH:	E6159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB29E2 [Mon Sep 30 22:44:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8044B63663h
jmp 00007F8044B62F6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8044B6314Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8044B6311Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8044B65D0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8044B65D58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8044B65D41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x956c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x956c	0x9600	d6bdb5f7f3b3caa385ec65f2475ad1a3	False	0.284375	data	5.165498000914626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x834	data			1.0052380952380953
RT_GROUP_ICON	0xdcfec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd064	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd078	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd08c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd17c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 00:46:52.222394943 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 00:46:53.425549984 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 00:46:54.613038063 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:46:54.613055944 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:46:54.691173077 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:46:55.831783056 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 00:46:59.847914934 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:00.222425938 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:00.644329071 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 00:47:00.972450972 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:02.056226015 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.056236029 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.057286978 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.058386087 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.058393955 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.472229958 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:02.784545898 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.785140038 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.785154104 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.785583973 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.785646915 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.786298990 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.786351919 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.787775993 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.787841082 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.787970066 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:02.787976980 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:02.831623077 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:03.074820042 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:03.075048923 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:03.075109005 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:03.075814962 CEST	49705	443	192.168.2.7	142.250.185.78
Oct 1, 2024 00:47:03.075834990 CEST	443	49705	142.250.185.78	192.168.2.7
Oct 1, 2024 00:47:04.222250938 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:04.222255945 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:04.300369978 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:05.456846952 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:06.244183064 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.244219065 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.244293928 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.244509935 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.244523048 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.765549898 CEST	443	49701	104.98.116.138	192.168.2.7
Oct 1, 2024 00:47:06.765639067 CEST	49701	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:06.846570969 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:06.846628904 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:06.846697092 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:06.849560976 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:06.849580050 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:06.879750967 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.882137060 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.882144928 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.883238077 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.883310080 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.884414911 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.884481907 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.925149918 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:06.925156116 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:06.972029924 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:07.501128912 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.501205921 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.505739927 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.505759954 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.506187916 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.553066969 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.559684038 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.607397079 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.784378052 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.784434080 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.784497023 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.784871101 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.784892082 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.784902096 CEST	49715	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.784909010 CEST	443	49715	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.821204901 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.821230888 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:07.821409941 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.821698904 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:07.821710110 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.468162060 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.468247890 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.469922066 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.469933033 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.470177889 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.471604109 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.515434980 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.746689081 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.746759892 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.746814966 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.747611046 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.747626066 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:08.747648954 CEST	49717	443	192.168.2.7	184.28.90.27
Oct 1, 2024 00:47:08.747653961 CEST	443	49717	184.28.90.27	192.168.2.7
Oct 1, 2024 00:47:10.244782925 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 00:47:10.857660055 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:10.857675076 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:10.857721090 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:10.857925892 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:10.857939959 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.412857056 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:11.496829987 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.497108936 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.497126102 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.497495890 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.497554064 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.498199940 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.498248100 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.499106884 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.499162912 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.499360085 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.499366045 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.557267904 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.818449020 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.818700075 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.818737030 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.818761110 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.818773985 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.818804979 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.824440956 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.824510098 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.830780029 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.830810070 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.830832958 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.830841064 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.830869913 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.837066889 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.837111950 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.843336105 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.843363047 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.843395948 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.843405008 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.843447924 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.906567097 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.906645060 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.906672955 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.906718016 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.907543898 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.907587051 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.913775921 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.913810968 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.913835049 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.913847923 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.913877964 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.920197964 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.920263052 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.926506996 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.926568985 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.926578999 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.934189081 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.934267998 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.934277058 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.939069986 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.939137936 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:11.939148903 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.939213037 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:11.939260960 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:12.062319040 CEST	49729	443	192.168.2.7	142.250.181.238
Oct 1, 2024 00:47:12.062338114 CEST	443	49729	142.250.181.238	192.168.2.7
Oct 1, 2024 00:47:12.071242094 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.071280003 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.071333885 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.071824074 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.071840048 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.384970903 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.385010958 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.385068893 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.508361101 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.508393049 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.701186895 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.701503992 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.701529026 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.701909065 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.701971054 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.702636003 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.702685118 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.703804016 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.703874111 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.704025030 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:12.704032898 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:12.753546000 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.000684023 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.001434088 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.001496077 CEST	443	49731	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.001565933 CEST	49731	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.002705097 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.002731085 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.002815008 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.003267050 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.003273964 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.137073040 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.137290001 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.137301922 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.137859106 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.137934923 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.138593912 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.138638973 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.139152050 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.139216900 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.139497042 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.139503956 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.192316055 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.439126968 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.439541101 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.439642906 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.439769983 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.439775944 CEST	443	49732	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.439788103 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.439821959 CEST	49732	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.440718889 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.440752029 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.440819979 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.441284895 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.441302061 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.635360003 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.635696888 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.635714054 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.636075020 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.636152983 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.636781931 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.636836052 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.636974096 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.637037039 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.637120962 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.637129068 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.637151957 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.677334070 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.677340984 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.852658033 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.853775024 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:13.853846073 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.854505062 CEST	49735	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:13.854516983 CEST	443	49735	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.073729038 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.073983908 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.074002028 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.074388027 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.074460983 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.075118065 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.075170994 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.075294971 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.075355053 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.075413942 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.075424910 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.075443029 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.123403072 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.129793882 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.289475918 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.290281057 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.290349960 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.291013002 CEST	49739	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:14.291033030 CEST	443	49739	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:14.319519997 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:14.363428116 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584738970 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584790945 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584825039 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584877968 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584897995 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:14.584925890 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.584939003 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:14.585721016 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:14.585786104 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:14.604346991 CEST	49713	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:47:14.604358912 CEST	443	49713	142.250.186.132	192.168.2.7
Oct 1, 2024 00:47:15.046387911 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:15.046403885 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:15.046468019 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:15.048361063 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:15.048372984 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:15.220946074 CEST	49701	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:15.221927881 CEST	49744	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:15.221956968 CEST	443	49744	104.98.116.138	192.168.2.7
Oct 1, 2024 00:47:15.222024918 CEST	49744	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:15.225944996 CEST	443	49701	104.98.116.138	192.168.2.7
Oct 1, 2024 00:47:15.232496023 CEST	49744	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:47:15.232508898 CEST	443	49744	104.98.116.138	192.168.2.7
Oct 1, 2024 00:47:15.821039915 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:15.821130991 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:15.824043036 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:15.824048042 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:15.824296951 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:15.879203081 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.389378071 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.435395956 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718247890 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718277931 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718283892 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718300104 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718321085 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718327045 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718342066 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.718359947 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.718396902 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.718413115 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.719171047 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.719224930 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:16.719235897 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.719393969 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:16.719469070 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:17.420139074 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:17.420166969 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:17.420178890 CEST	49741	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:17.420185089 CEST	443	49741	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:19.975366116 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:19.975402117 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:19.975467920 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:19.975760937 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:19.975771904 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.670768976 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.670963049 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:20.670970917 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.671327114 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.671905994 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:20.671966076 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.672144890 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:20.672163010 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:20.672173023 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:20.998683929 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:21.000008106 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:21.000066042 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:21.001140118 CEST	49752	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:21.001157999 CEST	443	49752	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:23.331964970 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 00:47:43.413878918 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:43.413928986 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:43.414011955 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:43.414495945 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:43.414510012 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.067723036 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.071571112 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.071598053 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.071953058 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.072240114 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.072297096 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.072384119 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.072397947 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.072412014 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.290402889 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.291583061 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:44.291671991 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.299299002 CEST	49753	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:44.299329042 CEST	443	49753	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.179084063 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.179131985 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.179303885 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.179913998 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.179927111 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.335431099 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.335475922 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.335581064 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.335877895 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.335890055 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.832412004 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.832743883 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.832783937 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.833146095 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.833655119 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.833719015 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.833858013 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.833873987 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.833885908 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.964251041 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.964564085 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.964580059 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.964935064 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.965594053 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.965651035 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:45.966201067 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.966234922 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:45.966244936 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.129662037 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.130368948 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.130451918 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:46.130594015 CEST	49754	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:46.130614042 CEST	443	49754	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.264189005 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.264884949 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:46.264996052 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:46.265320063 CEST	49755	443	192.168.2.7	172.217.16.142
Oct 1, 2024 00:47:46.265336990 CEST	443	49755	172.217.16.142	192.168.2.7
Oct 1, 2024 00:47:54.107193947 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.107229948 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:54.107341051 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.107693911 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.107705116 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:54.876332998 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:54.876519918 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.879740000 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.879750013 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:54.879987001 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:54.885968924 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:54.931410074 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.200705051 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.200727940 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.200743914 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.200809956 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.200824022 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.200876951 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.200876951 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.201325893 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.201386929 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.201414108 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.201420069 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.201447010 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.201546907 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.201601028 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.203341961 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.203341961 CEST	49756	443	192.168.2.7	4.245.163.56
Oct 1, 2024 00:47:55.203357935 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:55.203366041 CEST	443	49756	4.245.163.56	192.168.2.7
Oct 1, 2024 00:47:58.018328905 CEST	443	49744	104.98.116.138	192.168.2.7
Oct 1, 2024 00:47:58.018507957 CEST	49744	443	192.168.2.7	104.98.116.138
Oct 1, 2024 00:48:06.288147926 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:06.288211107 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.288291931 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:06.288515091 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:06.288522005 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.927706957 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.928967953 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:06.928997040 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.929460049 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.929828882 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:06.929913998 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:06.973311901 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:15.702583075 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.702685118 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:15.702775002 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.702991009 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.703016043 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:15.787255049 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.787348032 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:15.787461042 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.787744999 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:15.787769079 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.356163025 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.359690905 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.359719992 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.360130072 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.363004923 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.363091946 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.363562107 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.363581896 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.363590956 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.440531969 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.440812111 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.440846920 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.441153049 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.441994905 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.442043066 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.443058014 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.443123102 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.443130016 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.686400890 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.686522007 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.686610937 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.686950922 CEST	49760	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.686970949 CEST	443	49760	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.705524921 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.706315994 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.706394911 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.706702948 CEST	49761	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:16.706726074 CEST	443	49761	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:16.847341061 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:16.847449064 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:16.847515106 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:29.361809015 CEST	49758	443	192.168.2.7	142.250.186.132
Oct 1, 2024 00:48:29.361820936 CEST	443	49758	142.250.186.132	192.168.2.7
Oct 1, 2024 00:48:47.976361990 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:47.976445913 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:47.976557016 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:47.976823092 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:47.976861954 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.006624937 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.006659031 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.006737947 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.007004023 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.007015944 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.631268978 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.631572008 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.631596088 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.631939888 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.632225037 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.632285118 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.632395983 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.632419109 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.632426977 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.653808117 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.654046059 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.654068947 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.654376030 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.654633999 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.654681921 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.654783010 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.654812098 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.654814959 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.930744886 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.932246923 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.932296991 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.934003115 CEST	49763	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.934016943 CEST	443	49763	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.951236963 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.951764107 CEST	443	49764	142.250.185.142	192.168.2.7
Oct 1, 2024 00:48:48.951822996 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.951909065 CEST	49764	443	192.168.2.7	142.250.185.142
Oct 1, 2024 00:48:48.951915979 CEST	443	49764	142.250.185.142	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 00:47:01.891258955 CEST	59733	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:01.891529083 CEST	51235	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:01.898257017 CEST	53	59733	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:01.899555922 CEST	53	51235	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:02.012375116 CEST	53	55819	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:02.029032946 CEST	53	49537	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:03.026348114 CEST	53	63727	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:03.078969955 CEST	64040	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:03.079334974 CEST	62855	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:03.085591078 CEST	53	64040	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:03.086045027 CEST	53	62855	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:06.234668970 CEST	60386	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:06.234819889 CEST	56314	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:06.243040085 CEST	53	60386	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:06.243474007 CEST	53	56314	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:06.406853914 CEST	123	123	192.168.2.7	20.101.57.9
Oct 1, 2024 00:47:06.580271006 CEST	123	123	20.101.57.9	192.168.2.7
Oct 1, 2024 00:47:08.331875086 CEST	53	63292	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:10.828845978 CEST	58343	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:10.829328060 CEST	50664	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:10.835648060 CEST	53	58343	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:10.836939096 CEST	53	50664	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:12.061662912 CEST	56923	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:12.061918020 CEST	62709	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:47:12.068171024 CEST	53	56923	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:12.069046974 CEST	53	62709	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:14.184752941 CEST	53	51309	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:19.933459044 CEST	53	62393	1.1.1.1	192.168.2.7
Oct 1, 2024 00:47:38.842267990 CEST	53	59803	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:00.337554932 CEST	138	138	192.168.2.7	192.168.2.255
Oct 1, 2024 00:48:01.434968948 CEST	53	62971	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:01.594397068 CEST	53	51195	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:13.002535105 CEST	53	61399	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:15.693636894 CEST	51471	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:48:15.693787098 CEST	60333	53	192.168.2.7	1.1.1.1
Oct 1, 2024 00:48:15.702042103 CEST	53	60333	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:15.702058077 CEST	53	51471	1.1.1.1	192.168.2.7
Oct 1, 2024 00:48:29.370693922 CEST	53	61421	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 00:47:01.891258955 CEST	192.168.2.7	1.1.1.1	0x6f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:01.891529083 CEST	192.168.2.7	1.1.1.1	0xac45	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:47:03.078969955 CEST	192.168.2.7	1.1.1.1	0xd1a4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.079334974 CEST	192.168.2.7	1.1.1.1	0xb0f2	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:47:06.234668970 CEST	192.168.2.7	1.1.1.1	0xaa93	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:06.234819889 CEST	192.168.2.7	1.1.1.1	0xb268	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 00:47:10.828845978 CEST	192.168.2.7	1.1.1.1	0xcc77	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:10.829328060 CEST	192.168.2.7	1.1.1.1	0x513b	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:47:12.061662912 CEST	192.168.2.7	1.1.1.1	0x5317	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:12.061918020 CEST	192.168.2.7	1.1.1.1	0x3c08	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 00:48:15.693636894 CEST	192.168.2.7	1.1.1.1	0x9018	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:48:15.693787098 CEST	192.168.2.7	1.1.1.1	0x48ff	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 00:47:01.898257017 CEST	1.1.1.1	192.168.2.7	0x6f	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:01.899555922 CEST	1.1.1.1	192.168.2.7	0xac45	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.085591078 CEST	1.1.1.1	192.168.2.7	0xd1a4	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:03.086045027 CEST	1.1.1.1	192.168.2.7	0xb0f2	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:47:03.086045027 CEST	1.1.1.1	192.168.2.7	0xb0f2	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 00:47:06.243040085 CEST	1.1.1.1	192.168.2.7	0xaa93	No error (0)	www.google.com		142.250.186.132	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:06.243474007 CEST	1.1.1.1	192.168.2.7	0xb268	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 00:47:10.835648060 CEST	1.1.1.1	192.168.2.7	0xcc77	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:47:10.835648060 CEST	1.1.1.1	192.168.2.7	0xcc77	No error (0)	www3.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:47:10.836939096 CEST	1.1.1.1	192.168.2.7	0x513b	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:47:12.068171024 CEST	1.1.1.1	192.168.2.7	0x5317	No error (0)	play.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:48:15.702058077 CEST	1.1.1.1	192.168.2.7	0x9018	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	142.250.185.78	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:02 UTC	839	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:03 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Mon, 30 Sep 2024 22:47:02 GMT Date: Mon, 30 Sep 2024 22:47:02 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49715	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:07 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 22:47:07 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=237523 Date: Mon, 30 Sep 2024 22:47:07 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:08 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 22:47:08 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=237466 Date: Mon, 30 Sep 2024 22:47:08 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-30 22:47:08 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49729	142.250.181.238	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:11 UTC	1205	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1029294272&timestamp=1727736429547 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:11 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-UNJbn0rIgRH0qilaWGNHBw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Sep 2024 22:47:11 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmII1JBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-P9lTfb2QRuTLh9nklJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAAB8MuMg" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 55 4e 4a 62 6e 30 72 49 67 52 48 30 71 69 6c 61 57 47 4e 48 42 77 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="UNJbn0rIgRH0qilaWGNHBw">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-09-30 22:47:11 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49731	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:12 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:12 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49732	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:13 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:13 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:13 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49735	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:13 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:13 UTC	507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 34 33 30 36 30 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727736430605",null,null,null
2024-09-30 22:47:13 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=De3-IJoeJD9kI9CSNh6CBrDG1YX9rVCnR79B4oHGuWo9EI0PPWnjJoOqbLkVUOJ8a9mFg4y2_49mc8nvsZvY_6v1XYXgHjBpbiUIaAI1tDlJs2JGsJZaQJS9rZPeT4fobOMVgOzDwieaZWv3ClRxUoAAOaoxGMS8oJCZ6cRZNZo1ClgFVg; expires=Tue, 01-Apr-2025 22:47:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:47:13 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49739	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:14 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:47:14 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 34 33 30 37 37 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727736430776",null,null,null
2024-09-30 22:47:14 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=X1TMqN8Nl_sl8XmDDScj0-8ksX8mi4l9QK_XaT5-FLctyAkmWXJ6O33T24Jo0Pwskbv5kkldMgX-Z5JBHCOdUGIi4VJTjyYHksnrD3ejRCtrgKw4LryhKg_6MsIzZ_ShpYeWy1hvAkXXyD4o7FDgks5m73Tt34WiOFhYUj0djWawTf7Klg; expires=Tue, 01-Apr-2025 22:47:14 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:47:14 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49713	142.250.186.132	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:14 UTC	1201	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=X1TMqN8Nl_sl8XmDDScj0-8ksX8mi4l9QK_XaT5-FLctyAkmWXJ6O33T24Jo0Pwskbv5kkldMgX-Z5JBHCOdUGIi4VJTjyYHksnrD3ejRCtrgKw4LryhKg_6MsIzZ_ShpYeWy1hvAkXXyD4o7FDgks5m73Tt34WiOFhYUj0djWawTf7Klg
2024-09-30 22:47:14 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Mon, 30 Sep 2024 17:00:09 GMT Expires: Tue, 08 Oct 2024 17:00:09 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 20825 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-30 22:47:14 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-30 22:47:14 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-09-30 22:47:14 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-30 22:47:14 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-09-30 22:47:14 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49741	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:16 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CnWuoTPFlZNZotC&MD=W7ctRTEr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 22:47:16 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 7a8db7c6-c486-4453-960e-0059a2678898 MS-RequestId: 19b5901a-cae1-423c-b7c3-e339547676e6 MS-CV: JXKqvt/V4kWU2iBH.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 22:47:16 GMT Connection: close Content-Length: 24490
2024-09-30 22:47:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-30 22:47:16 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49752	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:20 UTC	1286	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=X1TMqN8Nl_sl8XmDDScj0-8ksX8mi4l9QK_XaT5-FLctyAkmWXJ6O33T24Jo0Pwskbv5kkldMgX-Z5JBHCOdUGIi4VJTjyYHksnrD3ejRCtrgKw4LryhKg_6MsIzZ_ShpYeWy1hvAkXXyD4o7FDgks5m73Tt34WiOFhYUj0djWawTf7Klg
2024-09-30 22:47:20 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 33 36 34 32 38 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727736428000",null,null,null,
2024-09-30 22:47:20 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw; expires=Tue, 01-Apr-2025 22:47:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:20 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:47:20 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:20 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49753	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:44 UTC	1277	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1040 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:47:44 UTC	1040	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-09-30 22:47:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49754	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:45 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1150 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:47:45 UTC	1150	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 34 36 33 39 30 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727736463902",null,null,null
2024-09-30 22:47:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49755	172.217.16.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:45 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1162 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:47:45 UTC	1162	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 34 36 34 30 35 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727736464058",null,null,null
2024-09-30 22:47:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:47:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:47:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:47:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49756	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:47:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CnWuoTPFlZNZotC&MD=W7ctRTEr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 22:47:55 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 55cf067a-560d-4ebc-a442-c4b809613820 MS-RequestId: eae24dbe-2b37-4f73-93c9-9fc8e79b657f MS-CV: uetc119oAkK2vjUo.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 22:47:54 GMT Connection: close Content-Length: 30005
2024-09-30 22:47:55 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-30 22:47:55 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49760	142.250.185.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:48:16 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1424 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:48:16 UTC	1424	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 34 31 38 30 38 39 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727741808972",null,null,null
2024-09-30 22:48:16 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:48:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:48:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:48:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49761	142.250.185.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:48:16 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1349 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:48:16 UTC	1349	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 34 31 38 30 39 30 36 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727741809066",null,null,null
2024-09-30 22:48:16 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:48:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:48:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:48:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49763	142.250.185.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:48:48 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1379 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:48:48 UTC	1379	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 34 31 38 34 31 32 35 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727741841255",null,null,null
2024-09-30 22:48:48 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:48:48 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:48:48 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:48:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49764	142.250.185.142	443	7236	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:48:48 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1195 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Oz74s4AmzbAIxjzYUi5AAVUqI4Ne0jT_S4YGjDDlouf0UcdQtyNbfcCo3ps78sGBcvexXxNDGZr91jQMJxbe9wMFHIErqZ3Iln-Xryx2lHhCyel3Gl3cr3JK-WI5bdI5wxFNp4arHA30eqRhXR4-3qXnlH3AyqpiUoxd3l--3fWU1NRlMyfkttJ3gw
2024-09-30 22:48:48 UTC	1195	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 34 31 38 34 31 32 38 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727741841286",null,null,null
2024-09-30 22:48:48 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:48:48 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:48:48 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:48:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:46:56
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	917'504 bytes
MD5 hash:	27CA789E11C7FCD10B8932BF3A42F574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:46:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:46:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:46:59
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	18:46:59
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	18:47:10
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	18:47:10
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=2004,i,10407444804850193648,4541429428570766370,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1450
Total number of Limit Nodes:	41

Executed Functions

Function 00E842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E8430D

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetCurrentProcess.KERNEL32(?,00F1CB64,00000000,?,?), ref: 00E84422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E84429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E84454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E84466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E84474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E8447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E844A0

Strings

kernel32.dll, xrefs: 00E8444F
GetNativeSystemInfo, xrefs: 00E84460
|O, xrefs: 00EC36F8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction ID: 7c5143cadead0cc38d8bcb3cc8792a0ab19bf43b6acc153b571e8aa8ebf2278e
Opcode Fuzzy Hash: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction Fuzzy Hash: E8A109A18093CCCFC711D7B87C607D57FA4BF3634AB08A89DD289B3662D2216509FB61

Function 00E842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842C9
LoadResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35D3
LockResource.KERNEL32(00E850AA,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20,?), ref: 00EC35E6

Strings

SCRIPT, xrefs: 00E842BF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction ID: a171543af4690ed93fd532478b1e9ef21c388951bd311694cd314efe69be315e
Opcode Fuzzy Hash: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction Fuzzy Hash: 5511ACB0240309BFD722AB65DC48FA77BB9EBC9B55F108169F40AE62A0DB71D8009660

Function 00EEDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EEDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EEDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00EEDBEE
FindClose.KERNEL32(00000000), ref: 00EEDBFA

Strings

"R, xrefs: 00EEDBCA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction ID: b2f5408e92280e119150d6d7e8134a50412e47f41f34d281d4f70d6fbc6d5851
Opcode Fuzzy Hash: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction Fuzzy Hash: 50F0E53085895C6782206B7CAC0D8EAB76C9E01378B219702F836D20F0EBB15D64D6D6

Function 00EC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F42224), ref: 00EC2C10
ShellExecuteW.SHELL32(00000000,?,?,00F42224), ref: 00EC2C17

Strings

runas, xrefs: 00EC2C0B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 0be8c299fd2dcf6dbeaaf474a4abddc4e10b71d72a1cc340a52aa0517113f66c
Instruction ID: 30f95a4977973a426db68fce03385f2efab597d50af28012a5ab1eec15631c3f
Opcode Fuzzy Hash: 0be8c299fd2dcf6dbeaaf474a4abddc4e10b71d72a1cc340a52aa0517113f66c
Instruction Fuzzy Hash: 1C11D6315083056AC704FF70D851EBEBBE4AB91745F44342DF64E720E3CF259A4AA752

Function 00EA4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000,?,00EB28E9,00000003,00EB2DF7,?,?), ref: 00EA4D09
TerminateProcess.KERNEL32(00000000,?,00EB28E9,00000003,00EB2DF7,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000), ref: 00EA4D10
ExitProcess.KERNEL32 ref: 00EA4D22

Strings

(, xrefs: 00EA4CEA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction ID: c5a47610bc3bf693330f48a32b753aabe93f6e6693a0f044598becc8ce804ec7
Opcode Fuzzy Hash: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction Fuzzy Hash: 34E046B1040108ABCF11AF24DD0AA883B69EB86785F018014FD14AA162CB75EE42EA80

Function 00EED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Process32NextW.KERNEL32(00000000,?), ref: 00EED52F
CloseHandle.KERNELBASE(00000000), ref: 00EED5DC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7281622e37c4e3470f0cc07abd19ed45ba235181b5c3f2e01d08c31fbe64f471
Instruction ID: b2fdf799b3083ce451d3601dab81853e3caa3b1a0dc56cca6c2aea0175c12b33
Opcode Fuzzy Hash: 7281622e37c4e3470f0cc07abd19ed45ba235181b5c3f2e01d08c31fbe64f471
Instruction Fuzzy Hash: 2931AF310083449FD304EF54CC85ABFBBF8EF99344F14092DF589A21A2EB719948CB92

Function 00F0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00F0B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1D4
_wcslen.LIBCMT ref: 00F0B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B236
_wcslen.LIBCMT ref: 00F0B332

Part of subcall function 00EF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6

_wcslen.LIBCMT ref: 00F0B34B
_wcslen.LIBCMT ref: 00F0B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F0B3B6
GetLastError.KERNEL32(00000000), ref: 00F0B407
CloseHandle.KERNEL32(?), ref: 00F0B439
CloseHandle.KERNEL32(00000000), ref: 00F0B44A
CloseHandle.KERNEL32(00000000), ref: 00F0B45C
CloseHandle.KERNEL32(00000000), ref: 00F0B46E
CloseHandle.KERNEL32(?), ref: 00F0B4E3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e3b758a16b0ad902ae8ddf8f35d050e1b670c5c0c9053db14059a7b5767a5a46
Instruction ID: f97f58c3ad29e7062be0653d74edceb421c98e1de1c5ee726c0ea5451b242c5f
Opcode Fuzzy Hash: e3b758a16b0ad902ae8ddf8f35d050e1b670c5c0c9053db14059a7b5767a5a46
Instruction Fuzzy Hash: 92F1A071A043409FC715EF24C881B6EBBE5AF85724F14855DF8999B2E2DB31EC40EB52

Function 00E8D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E8D807
timeGetTime.WINMM ref: 00E8DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB28
TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNELBASE(0000000A), ref: 00E8DBB1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 48ecbf5a85372da16d1621953adcaab40337b1e8183eb8f1b8689ef2d2d0d483
Instruction ID: f7aaba9fc0867f717b1e88739617615836d75578b5fc9d80864ad5931e0a2369
Opcode Fuzzy Hash: 48ecbf5a85372da16d1621953adcaab40337b1e8183eb8f1b8689ef2d2d0d483
Instruction Fuzzy Hash: F742FF30608341AFD728EB24CC44BAAB7E0FF85318F14A65EE55DA73D1D7B0A845DB82

Function 00E82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82D07
RegisterClassExW.USER32(00000030), ref: 00E82D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
LoadIconW.USER32(000000A9), ref: 00E82D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

+, xrefs: 00E82CF0
0, xrefs: 00E82CE9
AutoIt v3 GUI, xrefs: 00E82D23
TaskbarCreated, xrefs: 00E82D37

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction ID: dc9081884853eb00f15e9130fdce910869deb48f24791844c928cafbe381bc09
Opcode Fuzzy Hash: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction Fuzzy Hash: C821C0B594131CAFDB00DFA4E889BDDBBB4FB08701F01811AF611A62A0D7B55544EF91

Function 00EC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

GetLastError.KERNEL32 ref: 00EC076F
__dosmaperr.LIBCMT ref: 00EC0776
GetFileType.KERNELBASE(00000000), ref: 00EC0782
GetLastError.KERNEL32 ref: 00EC078C
__dosmaperr.LIBCMT ref: 00EC0795
CloseHandle.KERNEL32(00000000), ref: 00EC07B5
CloseHandle.KERNEL32(?), ref: 00EC08FF
GetLastError.KERNEL32 ref: 00EC0931
__dosmaperr.LIBCMT ref: 00EC0938

Strings

H, xrefs: 00EC08BD

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction ID: df31f2a81efd6d46a08f57eeaa6d9763410f0ea1d985ca42b051cbb0d03fb23b
Opcode Fuzzy Hash: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction Fuzzy Hash: A0A12532A002088FDF19AF68D951BAE7BE0EB46324F14515DF815AF2A1DB329913DB91

Function 00E8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E83379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E8356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EC318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EC31CE
RegCloseKey.ADVAPI32(?), ref: 00EC3210
_wcslen.LIBCMT ref: 00EC3277
_wcslen.LIBCMT ref: 00EC3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E83560
Include, xrefs: 00EC3184, 00EC31C5
\, xrefs: 00EC328C
\Include\, xrefs: 00E83527

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 08b3b1c5c63c5fbf73d783ce33d0cd543e7eb33c789714297f506df0fc0867d7
Instruction ID: 35a6cce0efda4fea8ba6e446df9f846f9fffe8dd8ec704996049cd4e62540af1
Opcode Fuzzy Hash: 08b3b1c5c63c5fbf73d783ce33d0cd543e7eb33c789714297f506df0fc0867d7
Instruction Fuzzy Hash: 4F71C0714083059EC704EF65DC819ABBBE8FF8A740F40562EF649A71B1EB319A48DB52

Function 00E82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E82B9D
LoadIconW.USER32(00000063), ref: 00E82BB3
LoadIconW.USER32(000000A4), ref: 00E82BC5
LoadIconW.USER32(000000A2), ref: 00E82BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E82BEF
RegisterClassExW.USER32(?), ref: 00E82C40

Part of subcall function 00E82CD4: GetSysColorBrush.USER32(0000000F), ref: 00E82D07
Part of subcall function 00E82CD4: RegisterClassExW.USER32(00000030), ref: 00E82D31
Part of subcall function 00E82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
Part of subcall function 00E82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
Part of subcall function 00E82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
Part of subcall function 00E82CD4: LoadIconW.USER32(000000A9), ref: 00E82D85
Part of subcall function 00E82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

0, xrefs: 00E82C0F
#, xrefs: 00E82C16
AutoIt v3, xrefs: 00E82C2F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction ID: ca3e3018075aa390411999b7983d1dc80f74e5833b09e457fb344828cfb62086
Opcode Fuzzy Hash: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction Fuzzy Hash: 41215E70E4031CAFDB109FA5EC65BAE7FB4FB48B51F01415AF604A66A0D3B12940EF90

Function 00E83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E8316A,?,?), ref: 00E831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E8316A,?,?), ref: 00E83204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E83227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E8316A,?,?), ref: 00E83232
CreatePopupMenu.USER32 ref: 00E83246
PostQuitMessage.USER32(00000000), ref: 00E83267

Strings

TaskbarCreated, xrefs: 00E8322D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9ec61e3f89b7b92aef43fe7e1dfaddb0c050a6cdaf4f8bf66bdc7cde8799ae34
Instruction ID: e1ea18cc51a4aeaa1f439c50b153dbaddb48b574a8801c999cfaf6372d89279e
Opcode Fuzzy Hash: 9ec61e3f89b7b92aef43fe7e1dfaddb0c050a6cdaf4f8bf66bdc7cde8799ae34
Instruction Fuzzy Hash: 8D414B31240308ABDB153B789D1DBFD3A59F706F09F046119FB0EB51E2D7B1AA41A7A1

Function 00E81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E81459
CoUninitialize.COMBASE ref: 00E814F8
UnregisterHotKey.USER32(?), ref: 00E816DD
DestroyWindow.USER32(?), ref: 00EC24B9
FreeLibrary.KERNEL32(?), ref: 00EC251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC254B

Strings

close all, xrefs: 00E81454

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 72e5fac825b0a7adf731b00bbbe70e67fc72fc6397b452e01d6d4cc4f654be89
Instruction ID: c6ea14f8e73b686974b7ba6c90739461d3f0119a873c9ac717e76ded717f6c79
Opcode Fuzzy Hash: 72e5fac825b0a7adf731b00bbbe70e67fc72fc6397b452e01d6d4cc4f654be89
Instruction Fuzzy Hash: 1ED145316012128FCB19EF14C995B69F7A4BF05714F2462ADE54EBB262DB32AC13CF91

Function 00E82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E82C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E82CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CCF

Strings

edit, xrefs: 00E82CAC
AutoIt v3, xrefs: 00E82C89, 00E82C8E, 00E82C8F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction ID: 674c4e1776c30cc57da9db59ae40bfa08f8473b7a5152ccbc36402bf0da6746d
Opcode Fuzzy Hash: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction Fuzzy Hash: CDF0B7755813987AEB211717AC18FB73EBDE7C6F61B02405EFA00A65A0C6626850EAB4

Function 00E83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B83

Strings

Control Panel\Mouse, xrefs: 00E83B3E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction ID: 1b13d9f4718bbcfc3836fa7c41ca0a910c21bdab0fd455a23e3b0dab9d99d47c
Opcode Fuzzy Hash: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction Fuzzy Hash: 67112AB5510208FFDB20DFA5DC44AEEBBB9EF04B84B109459A809E7110E2319F40A7A0

Function 00E83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EC33A2

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Strings

Line: , xrefs: 00EC33EB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c29e959d9d8e55626036b62baac1fe7e1147438db93c56d1d5e91c44b3bbd568
Instruction ID: 46300efbda7ecdaca63c802952e0c29a8df2890dba7e9cd8ce41fd198ab4c09f
Opcode Fuzzy Hash: c29e959d9d8e55626036b62baac1fe7e1147438db93c56d1d5e91c44b3bbd568
Instruction Fuzzy Hash: EF31C371508304AAD725FB20DC45BEBB7D8AB84B14F00692EF69DA2091EB74A649C7C2

Function 00E9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668

Part of subcall function 00EA32A4: RaiseException.KERNEL32(?,?,?,00EA068A,?,00F51444,?,?,?,?,?,?,00EA068A,00E81129,00F48738,00E81129), ref: 00EA3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

Strings

Unknown exception, xrefs: 00EA0692

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction ID: 76a92a9bb0db1e7e346a004267e6f5a2173d4d5a283ddfb80464e4f7e9973dcb
Opcode Fuzzy Hash: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction Fuzzy Hash: 1AF0C23490020D778F00B6B4D856DAE7BAC5E4A358B605131F814FE9E2EF71FA66C5D1

Function 00E810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Part of subcall function 00E81B4A: RegisterWindowMessageW.USER32(00000004,?,00E812C4), ref: 00E81BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E8136A
OleInitialize.OLE32 ref: 00E81388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EC24AB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: fcb9265b3b503670fa1f6f1ad4f34ed70ec8a6c95d931768fa780ad908ba30a7
Instruction ID: 86abb9199ff8b4ffa4178647cf9fc86db1778f7719c88ff6eb88c8a0a536ab38
Opcode Fuzzy Hash: fcb9265b3b503670fa1f6f1ad4f34ed70ec8a6c95d931768fa780ad908ba30a7
Instruction Fuzzy Hash: 3471EDB49013088FC794EF79A9417953AE4BB89347B58962AD60ED7362FB306845EF40

Function 00EEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EEC259
KillTimer.USER32(?,00000001,?,?), ref: 00EEC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EEC270

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction ID: 2571cf161b2af8446e86bb491b0fb8dcf4273164e591020ef786d138a0647d99
Opcode Fuzzy Hash: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction Fuzzy Hash: 5631D470904788AFEB229B648855BE6BBECAB0A308F10109DD29EA7251C3745A85CB51

Function 00EB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB8704
GetLastError.KERNEL32(?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB870E
__dosmaperr.LIBCMT ref: 00EB8739

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction ID: de3054e506043aa4cef2aa8fe58051476163af55b8f9ad8731568ce35111f0d7
Opcode Fuzzy Hash: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction Fuzzy Hash: D901083360562026D6647234AA457EF67CD4B8277CF392129E814BB3D6DEA08C81D590

Function 00E8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNELBASE(0000000A), ref: 00E8DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00ED1CC9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction ID: 250cdc0129f8819b17eefd01e131e93e7dd9d28f464b3283d12dd95ac4de981b
Opcode Fuzzy Hash: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction Fuzzy Hash: 79F082306483449BEB34DB70CC49FEA73ADEB44315F105919E60EE30C0DB70A488DB55

Function 00E91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E917F6

Strings

CALL, xrefs: 00E917C6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f4e5264718bab1ca111ccba60dad33ae3f671c0832fb08133bc4e7a11547f9fe
Instruction ID: e997a6c3a35e9588c5e34038ce9ae514bbbd4522c9f23325f40217b875877d48
Opcode Fuzzy Hash: f4e5264718bab1ca111ccba60dad33ae3f671c0832fb08133bc4e7a11547f9fe
Instruction Fuzzy Hash: D3226C706083429FCB14DF14C480A6ABBF1FF89314F19999DF496AB3A2D771E845CB92

Function 00E82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EC2C8C

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00E82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Strings

X, xrefs: 00EC2C5A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction ID: efc2f9ab7c2c7f2fd95938c4fa48f595b35607ee43d1ef29573aeff78f889c09
Opcode Fuzzy Hash: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction Fuzzy Hash: F9219371A002589BDF01EF94C845BEE7BF8AF49715F00905DE50DFB241DBB45A498BA1

Function 00E83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction ID: 30e32cd0f1cf04271226eb35720157eef61f8bc352b131d54f697ad7bf9fe6e0
Opcode Fuzzy Hash: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction Fuzzy Hash: 6D31C3705047059FD720EF34D895797BBE4FB49709F00092EF69DA3290E771AA44CB52

Function 00E9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E9F661

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

Sleep.KERNEL32(00000000), ref: 00EDF2DE

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d518a41c3fbe28023f7bb87789613920bf5e5f2e8591eab120ecc60a125b91f1
Instruction ID: 3f0e2860c6e3f0b562621ea33971a015f91def7921dc0aa98592d544c5c54b77
Opcode Fuzzy Hash: d518a41c3fbe28023f7bb87789613920bf5e5f2e8591eab120ecc60a125b91f1
Instruction Fuzzy Hash: 77F082712802059FD310FF65D845B9ABBE9EF45760F00502AE85DE73A1DB70A800CB91

Function 00E8B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E8BB4E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3c96efe51269313de634654d7a137fdbd06c42c09a9dbc7a2f3af6f67ca741c3
Instruction ID: b0ee0f1d55896cc927856283a4c098391010ac913a3f4fde50ff3c78793e7e53
Opcode Fuzzy Hash: 3c96efe51269313de634654d7a137fdbd06c42c09a9dbc7a2f3af6f67ca741c3
Instruction Fuzzy Hash: D632AE34A00209DFDB14DF54C894BBEB7B9EF45308F18A05AEA09BB361D775AD42CB51

Function 00F0AA6C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100400,00000000,?,?,?), ref: 00F0AAF9

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputOpenProcessState
String ID:
API String ID: 2450012749-0
Opcode ID: 37ecddffb2f990d3f3be76a3afa8e2282aa8eb247dec741839cba869a9b1179d
Instruction ID: b2e58cc827c906807743efb0035c07cf6023379d67f5d9cc66c15667b17b7190
Opcode Fuzzy Hash: 37ecddffb2f990d3f3be76a3afa8e2282aa8eb247dec741839cba869a9b1179d
Instruction Fuzzy Hash: 6631B175604205AFCB14DF18D480DAABBE5FF44354B18C199F81E9B392D731ED40EB91

Function 00E84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
Part of subcall function 00E84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
Part of subcall function 00E84E90: FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EFD

Part of subcall function 00E84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
Part of subcall function 00E84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
Part of subcall function 00E84E59: FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a78f95f61ec82769484684adb88524345082b876cc48e6fd7b0aed5f07acdddc
Instruction ID: 73a944a5fb168e80df535322341807277b19bd43de0a1f24a12dcb35a44aa39d
Opcode Fuzzy Hash: a78f95f61ec82769484684adb88524345082b876cc48e6fd7b0aed5f07acdddc
Instruction Fuzzy Hash: 2E11C172700206AACB14BB60D902FAD77E5EF40714F10A42EF64EBA1D1EE719A459790

Function 00EB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EB8440

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction ID: 910ae7e2fef82e891e457a6dcc0bb69edd7d21b5ba129ee7067f7a80830554a1
Opcode Fuzzy Hash: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction Fuzzy Hash: 3211067590420AAFCB05DF58EA41ADF7BF9EF48314F104059F818AB312DA31DA11CBA5

Function 00EAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c151f39cc51abbfaac46ae00f63411847774a7ee2b708e64beb2bd52431a7f62
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D3F0F432510A14A6D6353A699C05B9B33DC9FD7334F102B59F525BA3D2DB70F80186A5

Function 00EB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction ID: f288e896b89ef67e64d087ef2d489cb63d1bcefb2c071f84436bf3451518c7be
Opcode Fuzzy Hash: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction Fuzzy Hash: 09E0E53114022466D72526BB9C02BDB36C8BF827B4F162230BC04BA4E1DB50ED0181E2

Function 00E84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84F6D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9697a235ea71ce469eaac94b020cb4fe8d1611b63c773a193ceb93de3e8e56e0
Instruction ID: 2d0418afe28c06b49a146ad4f6a841081362e8c7508d324bc400e8aa9092f929
Opcode Fuzzy Hash: 9697a235ea71ce469eaac94b020cb4fe8d1611b63c773a193ceb93de3e8e56e0
Instruction Fuzzy Hash: 0DF030B1205752CFDB34AF64D490852B7E4FF1431D315A97EE2DEA2651C7319844DF50

Function 00E830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E8314E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c2974eba05a8da2aec8e9abf0657bf65da134ee83421ea890e8178b0d5203a5c
Instruction ID: 1874ad64ee452153d16eb823d75c1c26332ebd89cc9bec5863f5ce94ccc85486
Opcode Fuzzy Hash: c2974eba05a8da2aec8e9abf0657bf65da134ee83421ea890e8178b0d5203a5c
Instruction Fuzzy Hash: 87F037709143189FEB52DB64DC497D57BFCB70570CF0001E9A648A6191D7745788CF51

Function 00E82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction ID: 38e3dacaa5d581c33be39ccb732d8467556c649c8c1c9b4a26442451110918d5
Opcode Fuzzy Hash: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction Fuzzy Hash: 99E0CD726002245BC710A2989C05FDA77DDDFC8794F0540B5FD0DE7248D970ED808690

Function 00E82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E8314E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 811d9d662f5233e3d2fe4ae71b36ac1c7f2eb5020141e55cc2ab7b1039642fd7
Instruction ID: 156647871b1602c03f113fa5a85847309ebb3d8ffa66e9f2b7e2234ae0beaf16
Opcode Fuzzy Hash: 811d9d662f5233e3d2fe4ae71b36ac1c7f2eb5020141e55cc2ab7b1039642fd7
Instruction Fuzzy Hash: 02E0862170424806CA08BB74A8525BDF7D99BD2756F40353EF64EB71E3CE2549494352

Function 00EC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction ID: 3b91d21c470b8b76c699d12721301452dd52698c001a00d0b7d690470abde19f
Opcode Fuzzy Hash: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction Fuzzy Hash: 7BD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C732E821AB90

Function 00E81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E81CBC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction ID: a62342313c9bb40367302a4a05cdc849472804e2a971c86240189e5b38af912c
Opcode Fuzzy Hash: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction Fuzzy Hash: D9C092362C030CAFF2198B80BC5AF507765B349B02F098401F709A95F3D7A22820FA90

Function 00ED1DC2 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E8D807
Sleep.KERNELBASE(?,CCCCCCCC,00000000), ref: 00ED2CA9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputSleepState
String ID:
API String ID: 1650039560-0
Opcode ID: d9e7d3506a8c66844b3e166dfdddb21b0b2158e1d327458c96efcb08af145d57
Instruction ID: 040a922b1aaab4cc90e841b585f59296a0214e9e7eecc66fee2ccae5265aecb4
Opcode Fuzzy Hash: d9e7d3506a8c66844b3e166dfdddb21b0b2158e1d327458c96efcb08af145d57
Instruction Fuzzy Hash: BEE02E3138C646AAD339DB389808BF0FB80F717318F048267C12CE2392D3A15820E7C2

Non-executed Functions

Function 00F19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F1961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F1965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F1969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F196C9
SendMessageW.USER32 ref: 00F196F2
GetKeyState.USER32(00000011), ref: 00F1978B
GetKeyState.USER32(00000009), ref: 00F19798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F197AE
GetKeyState.USER32(00000010), ref: 00F197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F197E9
SendMessageW.USER32 ref: 00F19810
SendMessageW.USER32(?,00001030,?,00F17E95), ref: 00F19918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F1992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F19941
SetCapture.USER32(?), ref: 00F1994A
ClientToScreen.USER32(?,?), ref: 00F199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F199D6
ReleaseCapture.USER32 ref: 00F199E1
GetCursorPos.USER32(?), ref: 00F19A19
ScreenToClient.USER32(?,?), ref: 00F19A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19A80
SendMessageW.USER32 ref: 00F19AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19AEB
SendMessageW.USER32 ref: 00F19B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F19B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F19B4A
GetCursorPos.USER32(?), ref: 00F19B68
ScreenToClient.USER32(?,?), ref: 00F19B75
GetParent.USER32(?), ref: 00F19B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19BFA
SendMessageW.USER32 ref: 00F19C2B
ClientToScreen.USER32(?,?), ref: 00F19C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F19CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19CDE
SendMessageW.USER32 ref: 00F19D01
ClientToScreen.USER32(?,?), ref: 00F19D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F19D82

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetWindowLongW.USER32(?,000000F0), ref: 00F19E05

Strings

F, xrefs: 00F19D07
@GUI_DRAGID, xrefs: 00F1997D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction ID: 25c97b66cfd2952d78dbd0a7b59993272126776a0bf6b2867885fe1f2b65eb0b
Opcode Fuzzy Hash: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction Fuzzy Hash: CE429031508205EFD724CF24CC64BEABBE5FF88320F154619F699972A1D7B1E890EB91

Function 00F14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F14908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F14927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F1494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F1495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F1497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F14A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A7E
IsMenu.USER32(?), ref: 00F14A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14B20
GetWindowLongW.USER32(?,000000F0), ref: 00F14B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F14BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F14C82
wsprintfW.USER32 ref: 00F14CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F14D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14D5A

Strings

%d/%02d/%02d, xrefs: 00F14CA8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2b18c482930e63fd0964007f31a644d3b662b9132eeafa606ccc16d9ae89e367
Instruction ID: 02a5ba752a97b4efba23af09c0814e00eca1ff28326c09b38898c9b770b49a62
Opcode Fuzzy Hash: 2b18c482930e63fd0964007f31a644d3b662b9132eeafa606ccc16d9ae89e367
Instruction Fuzzy Hash: 2012E271A40218ABEB248F24CC49FEE7BF8EF85720F144119F519EB2E1D774A981EB50

Function 00E9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E9F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EDF474
IsIconic.USER32(00000000), ref: 00EDF47D
ShowWindow.USER32(00000000,00000009), ref: 00EDF48A
SetForegroundWindow.USER32(00000000), ref: 00EDF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4AA
GetCurrentThreadId.KERNEL32 ref: 00EDF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EDF4DE
SetForegroundWindow.USER32(00000000), ref: 00EDF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF4F6
keybd_event.USER32(00000012,00000000), ref: 00EDF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF50B
keybd_event.USER32(00000012,00000000), ref: 00EDF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF519
keybd_event.USER32(00000012,00000000), ref: 00EDF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF528
keybd_event.USER32(00000012,00000000), ref: 00EDF52D
SetForegroundWindow.USER32(00000000), ref: 00EDF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EDF557

Strings

Shell_TrayWnd, xrefs: 00EDF46F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction ID: fd81f19cd94dd1dda75e16e525114354601f3d41c8e45d13657a1498ba837f94
Opcode Fuzzy Hash: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction Fuzzy Hash: 56315D71A8021CBEEB216BB55C4AFFF7E6DEB44B50F154026FA05F61D1C6B09D01BAA0

Function 00EE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EE1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EE12A8
CloseHandle.KERNEL32(?), ref: 00EE12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EE12D1
GetProcessWindowStation.USER32 ref: 00EE12EA
SetProcessWindowStation.USER32(00000000), ref: 00EE12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EE1310

Part of subcall function 00EE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
Part of subcall function 00EE10BF: CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Strings

winsta0, xrefs: 00EE12CC
, xrefs: 00EE125A
default, xrefs: 00EE130B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 41713690296e5ed54bf5a523a0d91d8d0fbb9aeb880ee8222b5446bff2c6e15a
Instruction ID: ae03c043973e2d6c4db039a10cde9aa4eaf90974f333e2c3619a81056cef361a
Opcode Fuzzy Hash: 41713690296e5ed54bf5a523a0d91d8d0fbb9aeb880ee8222b5446bff2c6e15a
Instruction Fuzzy Hash: 03819D7190028DAFDF219FA5DC49FEE7BB9EF08704F149169F920B62A0D7708984DB61

Function 00EE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0C00
GetLengthSid.ADVAPI32(?), ref: 00EE0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0C6D
GetLengthSid.ADVAPI32(?), ref: 00EE0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EE0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0CB4
CopySid.ADVAPI32(00000000), ref: 00EE0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D45
HeapFree.KERNEL32(00000000), ref: 00EE0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D55
HeapFree.KERNEL32(00000000), ref: 00EE0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D65
HeapFree.KERNEL32(00000000), ref: 00EE0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0D78
HeapFree.KERNEL32(00000000), ref: 00EE0D7F

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction ID: be2ab79495d98e2c47f607b48b80bbf737f1498d4f6c8f8caf6d51ed91956c4b
Opcode Fuzzy Hash: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction Fuzzy Hash: C871777294024EAFDF10DFA6DC44BEEBBB8AF08304F158115E914F6291D7B5AA45CBA0

Function 00EFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F1CC08), ref: 00EFEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EFEB37
GetClipboardData.USER32(0000000D), ref: 00EFEB43
CloseClipboard.USER32 ref: 00EFEB4F
GlobalLock.KERNEL32(00000000), ref: 00EFEB87
CloseClipboard.USER32 ref: 00EFEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EFEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EFEBC9
GetClipboardData.USER32(00000001), ref: 00EFEBD1
GlobalLock.KERNEL32(00000000), ref: 00EFEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EFEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EFEC38
GetClipboardData.USER32(0000000F), ref: 00EFEC44
GlobalLock.KERNEL32(00000000), ref: 00EFEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EFEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EFECF3
CountClipboardFormats.USER32 ref: 00EFED14
CloseClipboard.USER32 ref: 00EFED59

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction ID: 9e1b3448ef11e20916e188f0aee668f65578004a5644456f536a0f3e09277a1f
Opcode Fuzzy Hash: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction Fuzzy Hash: 0161D1342043099FD310EF24C884FBA77E4AF84708F15951DF55AA72A2DB31E905DBA2

Function 00EF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF69BE
FindClose.KERNEL32(00000000), ref: 00EF6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A75

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6ADF

Strings

%4d, xrefs: 00EF6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00EF6B6A
%03d, xrefs: 00EF6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EF6B32
%02d, xrefs: 00EF6C00, 00EF6C0A, 00EF6C5A, 00EF6CAA, 00EF6CFA, 00EF6D4A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction ID: 7e3559e19b7767146a3885c46c01ae423b673c606282ae9e3ae8f76b0c1ae974
Opcode Fuzzy Hash: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction Fuzzy Hash: 07D15E72908304AFC714EBA0C891EBBB7ECAF98704F04591DF589E6191EB74DA44CB62

Function 00EF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00EF9663
GetFileAttributesW.KERNEL32(?), ref: 00EF96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EF96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EF96D3
FindClose.KERNEL32(00000000), ref: 00EF96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF974A
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF9772
FindClose.KERNEL32(00000000), ref: 00EF977F
FindClose.KERNEL32(00000000), ref: 00EF978F

Strings

*.*, xrefs: 00EF96F5

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction ID: f07da18c1e3b13b682ad32f4d48238657ead9f0fbcc53e663bc42654d8a00457
Opcode Fuzzy Hash: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction Fuzzy Hash: 8931F13258021D6BCB14AFB4DC08BEE37ACAF49325F118056FA54F20E1EB35DE409AA1

Function 00EF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00EF97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EF9819
FindClose.KERNEL32(00000000), ref: 00EF9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF9890
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF98B8
FindClose.KERNEL32(00000000), ref: 00EF98C5
FindClose.KERNEL32(00000000), ref: 00EF98D5

Part of subcall function 00EEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EEDB00

Strings

*.*, xrefs: 00EF983B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction ID: b6d4cf9a320d0dd5594b0363b239bc004218f415f89594922c56aa97fa5b7f6c
Opcode Fuzzy Hash: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction Fuzzy Hash: 5731033254029D6ADB18AFB4DC48BEE37AC9F4A364F108056F990F20A1DB31DE849B60

Function 00F0BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F0BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00F0BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F0C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F0C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0C382
RegCloseKey.ADVAPI32(00000000), ref: 00F0C38F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 21baf16d91cd055aaa2e09e939d6c15b015fbc75f5cfa7c2b269b5d7e102143b
Instruction ID: 4264d44ccfc50fafb184cb6dd672e57dcb1cb8e8997237ce13134eef7c4e450d
Opcode Fuzzy Hash: 21baf16d91cd055aaa2e09e939d6c15b015fbc75f5cfa7c2b269b5d7e102143b
Instruction Fuzzy Hash: 78027E716042009FD714DF28C895E2ABBE5EF89318F18C59DF84ADB2A2D731EC45EB91

Function 00EF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EF8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EF8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8395

Strings

*.*, xrefs: 00EF839B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction ID: e0435a21387a94a44464f2b5e164976c9bc7f8ff5d818a1d35c4d6672ae9930b
Opcode Fuzzy Hash: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction Fuzzy Hash: 1B616E725043499FD710EF60C8409AFB3E9FF89314F04991EFA99A7261DB31E945CB92

Function 00EED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EED1DD
MoveFileW.KERNEL32(?,?), ref: 00EED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED237

Part of subcall function 00EED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EED21C,?,?), ref: 00EED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EED253
FindClose.KERNEL32(00000000), ref: 00EED264

Strings

\*.*, xrefs: 00EED0CD, 00EED0D6, 00EED0EB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5a7d6df65d8a416dbc49c37f5d4b31e4bbafc8fa2b356c69eaa6bef0aee6824c
Instruction ID: 5f41002ea4d4dd1509c4d6c219ab7c6805489e6c73ced5c36a37658a91f0ab52
Opcode Fuzzy Hash: 5a7d6df65d8a416dbc49c37f5d4b31e4bbafc8fa2b356c69eaa6bef0aee6824c
Instruction Fuzzy Hash: 3661793180918D9BCF05EBE1DE829FDB7B5AF54304F249065E40A731A2EB316F09DB60

Function 00EFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EFED91
EmptyClipboard.USER32 ref: 00EFED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EFEDAC
CloseClipboard.USER32 ref: 00EFEEA3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction ID: 20cf7a5cfbbf7d0d70f2c5756d9e69e0442e8a6da95cbf3d2b58afeee70f21bb
Opcode Fuzzy Hash: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction Fuzzy Hash: CA41AB31204215AFE320DF25E888B69BBE1AF44318F15D099E559ABB72C736FC41DBD0

Function 00EEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

ExitWindowsEx.USER32(?,00000000), ref: 00EEE932

Strings

@, xrefs: 00EEE925
, xrefs: 00EEE920
, xrefs: 00EEE95C
SeShutdownPrivilege, xrefs: 00EEE902

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction ID: c017533923f6ab3562377ae55df284e377a3055e16a9096791ddd8691d0b103e
Opcode Fuzzy Hash: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction Fuzzy Hash: 9401267261025DABEB1462B6AC86FFB72DC9B44744F155461FC02F32D3E6A29C4491A0

Function 00F01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F01276
WSAGetLastError.WSOCK32 ref: 00F01283
bind.WSOCK32(00000000,?,00000010), ref: 00F012BA
WSAGetLastError.WSOCK32 ref: 00F012C5
closesocket.WSOCK32(00000000), ref: 00F012F4
listen.WSOCK32(00000000,00000005), ref: 00F01303
WSAGetLastError.WSOCK32 ref: 00F0130D
closesocket.WSOCK32(00000000), ref: 00F0133C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction ID: 6abee52d0251eb45ae38b02c1e7c170a83a879d5f788f781c2c28ca8dbf8e906
Opcode Fuzzy Hash: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction Fuzzy Hash: 01417271A001049FD710DF68C484B69BBE6BF46328F19819CE85A9F2D2C771ED81EBE1

Function 00EBB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBB9D4
_free.LIBCMT ref: 00EBB9F8
_free.LIBCMT ref: 00EBBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F23700), ref: 00EBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F51270,000000FF,?,0000003F,00000000,?), ref: 00EBBC36
_free.LIBCMT ref: 00EBBD4B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 1033d44c057faebfb639e18c3b75223f2da5c2fd036a1a0e54bf3e5710125c81
Instruction ID: 33a4067a1217b8b303ab5c1237143e1b49d6519d0337a398ded9204342251c20
Opcode Fuzzy Hash: 1033d44c057faebfb639e18c3b75223f2da5c2fd036a1a0e54bf3e5710125c81
Instruction Fuzzy Hash: 36C11671904208AFDB20DF688C41BEFBBE8EF41314F1461AAE594FB251EBB09E41DB50

Function 00EED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED481
FindClose.KERNEL32(00000000), ref: 00EED498
FindClose.KERNEL32(00000000), ref: 00EED4A1

Strings

\*.*, xrefs: 00EED3F2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 35d9ba015311f3630948bb3d5d71761ce488e0e57c8028bf233ff3b905da2ccf
Instruction ID: 51d283b23fc7306229d80379b280cd94e4ab2578799922a7e59c0b0242d0b751
Opcode Fuzzy Hash: 35d9ba015311f3630948bb3d5d71761ce488e0e57c8028bf233ff3b905da2ccf
Instruction Fuzzy Hash: 9F31703100C3899BC305FF64D8518EF77E8AEA1314F446A2DF4E9A3191EB30AA09D763

Function 00EBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EBE645

Strings

1#SNAN, xrefs: 00EBF844
1#INF, xrefs: 00EBF852
1#IND, xrefs: 00EBF83D
1#QNAN, xrefs: 00EBF84B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction ID: 3785b77bba91a86b9d9bf3489ff9052c890031790b1f45412a9e32ad43939319
Opcode Fuzzy Hash: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction Fuzzy Hash: 6EC23972E086298FDB29CE28DD407EAB7B5EB49305F1451EAD84DF7241E774AE818F40

Function 00EF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF64DC
CoInitialize.OLE32(00000000), ref: 00EF6639
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF6650
CoUninitialize.OLE32 ref: 00EF68D4

Strings

.lnk, xrefs: 00EF64BA, 00EF6524, 00EF65E0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction ID: a9ec2e64228b0a15f1cadd2d502bda30e02961624994ab82e8f664c27693be8b
Opcode Fuzzy Hash: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction Fuzzy Hash: 18D16B71608305AFC304EF24C88196BB7E8FF95308F14596DF599AB292DB71ED05CB92

Function 00F022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F022E8

Part of subcall function 00EFE4EC: GetWindowRect.USER32(?,?), ref: 00EFE504

GetDesktopWindow.USER32 ref: 00F02312
GetWindowRect.USER32(00000000), ref: 00F02319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F02355
GetCursorPos.USER32(?), ref: 00F02381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F023DF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction ID: e121a8c984f9ff1d007d5d804bfc35441f6b44c74e7b4e98e2e0315a046f0bc1
Opcode Fuzzy Hash: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction Fuzzy Hash: 1D31C272504319AFD720DF55C849B9BBBEAFF84314F004919F985A7191DB34E908DBE2

Function 00EF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EF9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EF9C8B

Part of subcall function 00EF3874: GetInputState.USER32 ref: 00EF38CB
Part of subcall function 00EF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EF9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EF9C75

Strings

*.*, xrefs: 00EF9B5D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction ID: c221c77514fef94ffbf6b174d4cb5d265e9a709a6d1b89c36fa54d0562ae5a10
Opcode Fuzzy Hash: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction Fuzzy Hash: 04415E7194420E9BCF14EF64C845BEEBBF4EF05314F245055E959B2192EB319E84CFA1

Function 00E9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E99A4E
GetSysColor.USER32(0000000F), ref: 00E99B23
SetBkColor.GDI32(?,00000000), ref: 00E99B36

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction ID: 9316d78f3b546d21bb0b11813cfbb126ec829c74b8773d4da863e88bfce48416
Opcode Fuzzy Hash: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction Fuzzy Hash: 1CA12870108504BFEB289B2C8C58EFF369DEB42349B15210EF552F6793EA65DD42E272

Function 00F01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F0185D
WSAGetLastError.WSOCK32 ref: 00F01884
bind.WSOCK32(00000000,?,00000010), ref: 00F018DB
WSAGetLastError.WSOCK32 ref: 00F018E6
closesocket.WSOCK32(00000000), ref: 00F01915

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction ID: b9cd8a232a19bb27a4843591ea0f5d07d953aab902752881edb4f6cf561ee0b6
Opcode Fuzzy Hash: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction Fuzzy Hash: 75519171A40200AFEB10AF24C886F6A77E5AB45718F58C098FA596F2D3C771AD41DBA1

Function 00F11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F11CC0
IsWindowEnabled.USER32 ref: 00F11CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F11CDB
IsIconic.USER32 ref: 00F11CE9
IsZoomed.USER32 ref: 00F11CF7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2f2fb696af3dbad703979c483d9af521bfbe175201e8c2bfcfcee40ef5b3cf2a
Instruction ID: 9541e190c4101ef1c9d533c8c2ff777879624f81539783d1fe679040370e3e45
Opcode Fuzzy Hash: 2f2fb696af3dbad703979c483d9af521bfbe175201e8c2bfcfcee40ef5b3cf2a
Instruction Fuzzy Hash: 0D21D631B802155FD7208F1AD844BDA7BE5FF85324B198058E9498B351CB71DC82EBD0

Function 00E88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00E8813C
VUUU, xrefs: 00E883E8
VUUU, xrefs: 00E8843C
VUUU, xrefs: 00EC5DF0
VUUU, xrefs: 00E883FA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction ID: c883a702ff3b46e730e0fd21acf26b3f7e1771f5ed32f6530f399d6801b94165
Opcode Fuzzy Hash: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction Fuzzy Hash: FFA27E71A0061ACBDF24DF58CA40BEEB7B1BF54314F6491AADC19B7281EB319D82DB50

Function 00EEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EEAAAC
SetKeyboardState.USER32(00000080), ref: 00EEAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EEAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EEAB88

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction ID: c9723d0041a603ed385dd9f980320331274cc82ffbc0ce0a229642d320e528e6
Opcode Fuzzy Hash: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction Fuzzy Hash: 98312A30A4028CAEFB348A66CC05BFA77E6AB54314F0C522EF185B61D1D375A985D7A2

Function 00EFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EFCE89
GetLastError.KERNEL32(?,00000000), ref: 00EFCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EFCEFE

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dd6c64006b924cedbfcf5a56e1722c97ccc8b9a3e34ab88f615d8d7171b76853
Instruction ID: 6d14b896b8c0dc6924b0392ef32e3b63cc536cba2f229f9a08d2a08b3eb77b00
Opcode Fuzzy Hash: dd6c64006b924cedbfcf5a56e1722c97ccc8b9a3e34ab88f615d8d7171b76853
Instruction Fuzzy Hash: CE21BD7164030D9BDB20CF65CA48BB6B7F8EF40318F30941EE646E2151E770EE049BA0

Function 00EE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EE82AA

Strings

|, xrefs: 00EE82DA
(, xrefs: 00EE82F0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 10a853ca8e55841ecad4e6a56e24b2bd98d75246f05fb1ed9788f89009afc110
Instruction ID: cbe9c6409d12d672991cd77f7df0203cc33ec8a9eefd5259ab6d82fcae699fe2
Opcode Fuzzy Hash: 10a853ca8e55841ecad4e6a56e24b2bd98d75246f05fb1ed9788f89009afc110
Instruction Fuzzy Hash: 63324774A007459FCB28CF19C580AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40

Function 00EF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EF5D17
FindClose.KERNEL32(?), ref: 00EF5D5F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1af329209fb9a098e018d5a37d9fd9c1639953458cf28577db260c32d8f96005
Instruction ID: 98f5071b9f616d207d3fc691bbb1d8578282508f3d92f788d7a06e28fbf282d3
Opcode Fuzzy Hash: 1af329209fb9a098e018d5a37d9fd9c1639953458cf28577db260c32d8f96005
Instruction Fuzzy Hash: C151BA35604A059FC704DF28C484AA6B7E4FF4A318F14955EEA5A9B3A1CB31ED00CBA1

Function 00EB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EB271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EB2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EB2731

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction ID: 1c39e16b3e98c97b084ddc2f181aadb02aa3963e686fa382f22ec344eb06033c
Opcode Fuzzy Hash: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction Fuzzy Hash: 0631C47494122C9BCB21DF68DC887D9B7B8AF08310F5051EAE91CA6260EB309F858F44

Function 00EF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EF5238
SetErrorMode.KERNEL32(00000000), ref: 00EF52A1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction ID: 0dd49143572d1a0b9a4747a5135035c238f2eb0bac13de2618b8244564a28a58
Opcode Fuzzy Hash: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction Fuzzy Hash: D3313E75A00518DFDB00DF54D884EADBBF5FF49318F198099E909AB362DB31E856CBA0

Function 00EE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668
Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
GetLastError.KERNEL32 ref: 00EE174A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: fd8b6c93bc832932776cd2d638ee82076e3135a4dd6fdcf9aac75071e1a2799d
Instruction ID: 82051b837072e179718a16ba927e14fc19607ac1fc4ab202bc40ad9850895467
Opcode Fuzzy Hash: fd8b6c93bc832932776cd2d638ee82076e3135a4dd6fdcf9aac75071e1a2799d
Instruction Fuzzy Hash: 1911C1B2410308AFD7189F54DC86EAAB7F9EB04714B20956EE056A7241EB70BC81CA60

Function 00EED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED650

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction ID: 35c86952bf9042dcda955f22a179845d755c6252a7f5b1f624118eb2650fea03
Opcode Fuzzy Hash: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction Fuzzy Hash: 54117CB1E45228BBDB108F95AC44FEFBBBCEB45B50F108111F914F7290C2704A018BE1

Function 00EE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EE168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE16A1
FreeSid.ADVAPI32(?), ref: 00EE16B1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction ID: 14d552d19965e33dae89ec394d0e3eb4ab442e653d2ce850637209af871a3f6a
Opcode Fuzzy Hash: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction Fuzzy Hash: 0AF0F47199030DFBDB00DFE49C89EAEBBBCEB08604F5085A5E501E2181E774AA449A90

Function 00EBC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00EBC36C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d32f8b424406d38d3f8402f89ac390995e93dc21ff352899a53e227fc64bc9db
Instruction ID: 4348c5f833abb012ee68c193f62c7bbf0953dacfbcbb392b2222525f0c9bf9e0
Opcode Fuzzy Hash: d32f8b424406d38d3f8402f89ac390995e93dc21ff352899a53e227fc64bc9db
Instruction Fuzzy Hash: 71413B769006196FCB209FB9CC49DFB77B8EB84718F6052ADF915E7180E6709E81CB50

Function 00EDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EDD28C

Strings

X64, xrefs: 00EDD2A8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction ID: 7b22138190abef8c32ea2f605a068f7d0993faed6343b88b38196f68f376a1b4
Opcode Fuzzy Hash: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction Fuzzy Hash: 38D0CAB480922DEACF94CBA0EC88DDAB3BCFB08345F105292F546F2100DB3096499F20

Function 00EACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1e71b40a1cfbb33dc88290d822204e8fc1b06e524a6539c2b7e37303f0407acc
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 47020A71E002199FDF14CFA9C9806ADFBF1EF49324F25916AD819FB280D731AA41CB94

Function 00EF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF6918
FindClose.KERNEL32(00000000), ref: 00EF6961

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction ID: 06ff71a191ac7afeeef5ce922fb1e2681fa90089c83643d492ecd9e289ec559e
Opcode Fuzzy Hash: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction Fuzzy Hash: DC11D0316042049FD710DF29D484A26BBE1FF85328F15C699E5699F2A2C770EC05CB90

Function 00EF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37F4

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction ID: 3e95d6a9a992053f6d6b30381b1808349b4dd7df1b5f1ed911586915181e3fd5
Opcode Fuzzy Hash: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction Fuzzy Hash: 7FF0E5B070422C2AE72027769C4DFEB7AAEEFC5761F0001A6F609E22C1D9A09944C7F0

Function 00EEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EEB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00EEB270

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction ID: 9d318b921a1419f40347280234ca1d3011c2524f6f0954bfc7ffd36fe0588e3d
Opcode Fuzzy Hash: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction Fuzzy Hash: 94F01D7184428DABDB059FA1C805BEE7BB4FF08309F049009F955A51A1C77986119F94

Function 00EE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 69a3d6c9fb53811e58bdaefab688ac0d41f691709a7adcb8a03a5c4a1e208e72
Instruction ID: cc54777f5b15d65292a4e57716aed9b3b1a865baff452651615c18f4a8f90c86
Opcode Fuzzy Hash: 69a3d6c9fb53811e58bdaefab688ac0d41f691709a7adcb8a03a5c4a1e208e72
Instruction Fuzzy Hash: 3FE0BF72058614AFFB252B51FC05EB777E9EB04320F25D82DF5A5D04B1DB626C90EB50

Function 00E8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00ED0C40

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a09490322eb9711dc7cd0fe4935ea02a6e40b67150a1b2f3432990993583bfb4
Instruction ID: 50be15c066e839033dd1234602775ec8625569b1ad2a1fc7bcde6b634c900b88
Opcode Fuzzy Hash: a09490322eb9711dc7cd0fe4935ea02a6e40b67150a1b2f3432990993583bfb4
Instruction Fuzzy Hash: B2326E709002189BDF14EF90D981BEDB7B5FF06308F28605AE90EBB291D775AD46CB61

Function 00EB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EB6766,?,?,00000008,?,?,00EBFEFE,00000000), ref: 00EB6998

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction ID: 356af82c5a5cc5dd723fe91474da706cce09f9e8fc79d7f940638158b911c00d
Opcode Fuzzy Hash: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction Fuzzy Hash: 2FB16E31510609DFDB19CF28C486BA67BE0FF45368F259658E899DF2A1C739D981CB40

Function 00E9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00ED851F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction ID: 461fc6031b69b7d6359308a73d0042447152a2710dc6f946b54e46fa53260d96
Opcode Fuzzy Hash: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction Fuzzy Hash: 81125C719002299BCF24CF58D9816EEB7F5FF48710F1491AAE849FB251EB309E81DB90

Function 00EFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EFEABD

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction ID: c66d2cf3b7a901e7e4c1a54ce98d7e4882b09cf31d3df63c818ac3fef088bdea
Opcode Fuzzy Hash: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction Fuzzy Hash: B5E01A312002089FD710EF59D804E9ABBE9AF997A4F009416FD4DE7361DA70A8408BA0

Function 00EA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00EA03EE), ref: 00EA09DA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction ID: ac866a93df09ee54d1d6616d06794de1e56d0242e63ae79d0facbfe78babb7a6
Opcode Fuzzy Hash: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction Fuzzy Hash:

Function 00EA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00EA798B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 96a4f67583ffa95e072c4ba21c3d865360fb2e5336c26c0cc0839c3537e35ae3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A051436260C6156ADB3CC5288D5A7BF67D99B8F308F18350AD8C2FF282C619FE45D352

Function 00EB6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction ID: b2657488f37fc72974b64d1171bd9d6b8e3407b15ae251721ac4443f0a76bcba
Opcode Fuzzy Hash: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction Fuzzy Hash: 3B322222D29F014DD7739634CC22376A289AFB73C5F15E737E86AB5DA9EB28C4835100

Function 00E9CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction ID: e563c62d3b35f5ac498ccafd9e4f4152f9168647154e5e7799246f89172f9f27
Opcode Fuzzy Hash: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction Fuzzy Hash: E4320831A401078BCF24DA68C4906BDBBA1EB45388F38A967D95AFB391D230DD83DB41

Function 00E87920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2614b8769d5b68e6de92bb2e65ecf812e541c4322e523d9fb0bae950eca4d05
Instruction ID: 3769f9ca82d9bd39b7f6c1011459592abc1cb6bb4b817830e87be9c8e855a544
Opcode Fuzzy Hash: e2614b8769d5b68e6de92bb2e65ecf812e541c4322e523d9fb0bae950eca4d05
Instruction Fuzzy Hash: 4222BE71A046099FDF14DF64C941AAEB3F2FF48304F246129E85AB7291EB36E951CB50

Function 00E891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca2123daf04cd8e4ef1474138b70f447e2321bf1254e942df2d2f4ff6dffff8
Instruction ID: 758dc4e25ad4ef77c7a8b25ee8fae9e64468c43aa98ac37e0dce859e3b23b58b
Opcode Fuzzy Hash: 2ca2123daf04cd8e4ef1474138b70f447e2321bf1254e942df2d2f4ff6dffff8
Instruction Fuzzy Hash: 900282B0E00209EBDF14DF64D981BADB7F1FF54304F159169E81AAB391EB31AA11CB91

Function 00EB9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction ID: 2e0fd37f3c6e1cb234e9bf986eb39e293c6c3e16346c165de47c7cce0f86ba9c
Opcode Fuzzy Hash: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction Fuzzy Hash: 20B12460D2AF444DC72396398831336B74CAFBB2C5F91D71BFC2674D22EB268A835140

Function 00EA1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7af11f8247339c38701cee4ab28ad94b688b4f0bd6b4191e93dae62808d30367
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 209167722080E34ADB2D4639857407EFFE15A973B6B1A17DDD4F2EE1C1FE20A954D620

Function 00EA19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9dd0e684476f1395a0f2d2ef844faf5ed375e3da0affb8a4aabbac401e676237
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0891B4322090A34EDB2D427A857407EFFE14A973A6B1A17DDD4F2EE1C1FD24E554D620

Function 00EA7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction ID: 7aa9786640288d54b2e974fa75089aa5a464e4273d946f0ef71fccda3dc462de
Opcode Fuzzy Hash: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction Fuzzy Hash: C26158B120870966DA34DA288D95BFF63D6DF8F708F143919E8C2FF281D611BE428365

Function 00EA7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction ID: d983c8e516a79ea74182eb3834417905e93937d0d34eb50336eaf2e2ab2a8403
Opcode Fuzzy Hash: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction Fuzzy Hash: 2261577160870956DE38CA284DA5BBF23D4AF4F708F14795DE9C3FF281EA12BD428255

Function 00EA1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e83a88d21180a7683f52268cc95f84444d19215dcd46a8c6faef8d4fdc4d84f9
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: FC8185326080A30DDB6D423A853407EFFE15A973A5B1A27DEE4F2DF1C1EE24E554E620

Function 00EF2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction ID: 8564b1720c0d8ef5fa79e731ae127ecdc18c36da3dff850a87b9d6aeee54dceb
Opcode Fuzzy Hash: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction Fuzzy Hash: 6A21E7323206158BDB28CF79C82367E73E5A764310F14862EE5A7D73D0DE39A904DB80

Function 00E9D063 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction ID: c45181b31fd6ad21836f885c3b6c83bd4b38d521cb84f01a31c8deb5347d3d8c
Opcode Fuzzy Hash: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction Fuzzy Hash: 2A11835208DFEBABDB4292B90CBE588BF70881602079847EFC5C446EC7EB8C405BD756

Function 00F02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F02B30
DeleteObject.GDI32(00000000), ref: 00F02B43
DestroyWindow.USER32 ref: 00F02B52
GetDesktopWindow.USER32 ref: 00F02B6D
GetWindowRect.USER32(00000000), ref: 00F02B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F02CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F02CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02CF8
GetClientRect.USER32(00000000,?), ref: 00F02D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F02D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D80
GlobalLock.KERNEL32(00000000), ref: 00F02D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D98
GlobalUnlock.KERNEL32(00000000), ref: 00F02DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DA8
GlobalFree.KERNEL32(00000000), ref: 00F02DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F1FC38,00000000), ref: 00F02DDB
GlobalFree.KERNEL32(00000000), ref: 00F02DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F02E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F02E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F0303F

Strings

static, xrefs: 00F02D3A, 00F02E91
DISPLAY, xrefs: 00F02EA2
, xrefs: 00F02FC5
AutoIt v3, xrefs: 00F02CF2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction ID: a250e71c8861fde0a47e05e8562e92984947b408f334881c5c918d6e3217d701
Opcode Fuzzy Hash: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction Fuzzy Hash: 9A027F71940209AFDB14DF64CC89EAE7BB9FF49711F118158F919AB2A1C770ED01EBA0

Function 00F170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F1712F
GetSysColorBrush.USER32(0000000F), ref: 00F17160
GetSysColor.USER32(0000000F), ref: 00F1716C
SetBkColor.GDI32(?,000000FF), ref: 00F17186
SelectObject.GDI32(?,?), ref: 00F17195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F171C0
GetSysColor.USER32(00000010), ref: 00F171C8
CreateSolidBrush.GDI32(00000000), ref: 00F171CF
FrameRect.USER32(?,?,00000000), ref: 00F171DE
DeleteObject.GDI32(00000000), ref: 00F171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F17230
FillRect.USER32(?,?,?), ref: 00F17262
GetWindowLongW.USER32(?,000000F0), ref: 00F17284

Part of subcall function 00F173E8: GetSysColor.USER32(00000012), ref: 00F17421
Part of subcall function 00F173E8: SetTextColor.GDI32(?,?), ref: 00F17425
Part of subcall function 00F173E8: GetSysColorBrush.USER32(0000000F), ref: 00F1743B
Part of subcall function 00F173E8: GetSysColor.USER32(0000000F), ref: 00F17446
Part of subcall function 00F173E8: GetSysColor.USER32(00000011), ref: 00F17463
Part of subcall function 00F173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
Part of subcall function 00F173E8: SelectObject.GDI32(?,00000000), ref: 00F17482
Part of subcall function 00F173E8: SetBkColor.GDI32(?,00000000), ref: 00F1748B
Part of subcall function 00F173E8: SelectObject.GDI32(?,?), ref: 00F17498
Part of subcall function 00F173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
Part of subcall function 00F173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
Part of subcall function 00F173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8256284b5bf1182a65ccf8a4a5caf2fbe853d4a872d71a141e28f961a66bcf49
Instruction ID: 1c635f4732394e9cf36632859ff69f17ddaedd6bce1edf8dff4818a195d6a58a
Opcode Fuzzy Hash: 8256284b5bf1182a65ccf8a4a5caf2fbe853d4a872d71a141e28f961a66bcf49
Instruction Fuzzy Hash: 91A1BF72448305BFDB00AF60DC48A9B7BB9FB49320F144A19F966A61E0D730E940EF91

Function 00E98D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E98E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ED6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ED6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ED6F43

Part of subcall function 00E98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E98BE8,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98FC5

SendMessageW.USER32(?,00001053), ref: 00ED6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ED6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00ED6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00ED6FB7

Strings

0, xrefs: 00ED6DCF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0c0778d27c4d3ade43b56b73cccc335d7416e5d32d8429c26cf1f04b850cf22d
Instruction ID: ef9d22b2d2ec2fb79674b5a39713de829583835e297e91c10fef68dc207c7cff
Opcode Fuzzy Hash: 0c0778d27c4d3ade43b56b73cccc335d7416e5d32d8429c26cf1f04b850cf22d
Instruction Fuzzy Hash: C112CC30200205DFDB25CF24C954BAAB7F1FB49308F14A46AF599EB261CB31EC52EB91

Function 00F02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F0273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F0286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F02900
GetClientRect.USER32(00000000,?), ref: 00F0290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F02955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F02964
GetStockObject.GDI32(00000011), ref: 00F02974
SelectObject.GDI32(00000000,00000000), ref: 00F02978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F02988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F02991
DeleteDC.GDI32(00000000), ref: 00F0299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F02A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F02A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F02A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F02A77
GetStockObject.GDI32(00000011), ref: 00F02A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F02A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F02A97

Strings

static, xrefs: 00F0294F, 00F02A71
msctls_progress32, xrefs: 00F02A13
DISPLAY, xrefs: 00F0295A
AutoIt v3, xrefs: 00F028F8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction ID: eeacaa49f431ac5e5f6a97abb1aa40c1d309d62ee126e2c8ff683bc29d0066f1
Opcode Fuzzy Hash: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction Fuzzy Hash: 50B14971A40219AFEB14DFA8CC49FAA7BA9FB48711F108115FA18E72D0D770ED40DBA0

Function 00EF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4AED
GetDriveTypeW.KERNEL32(?,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4BCA
SetErrorMode.KERNEL32(00000000,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4D36

Strings

SATA, xrefs: 00EF4CD0
RAMDisk, xrefs: 00EF4BF4
SSA, xrefs: 00EF4CA6
ATAPI, xrefs: 00EF4C91
Fibre, xrefs: 00EF4CAD
CDROM, xrefs: 00EF4BFB
Removable, xrefs: 00EF4C10, 00EF4C15
MMC, xrefs: 00EF4CDE
ATA, xrefs: 00EF4C98
SSD, xrefs: 00EF4C4A
1394, xrefs: 00EF4C9F
Network, xrefs: 00EF4C02
Fixed, xrefs: 00EF4C09
PhysicalDrive, xrefs: 00EF4B76
iSCSI, xrefs: 00EF4CC2
USB, xrefs: 00EF4CB4
FileBackedVirtual, xrefs: 00EF4CEC
\\.\, xrefs: 00EF4B3F
Unknown, xrefs: 00EF4BED, 00EF4C83
SAS, xrefs: 00EF4CC9
Virtual, xrefs: 00EF4CE5
RAID, xrefs: 00EF4CBB
SCSI, xrefs: 00EF4C8A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0b9751a25fe114cf999ca8920466ed1d5b777d2b73bfce7ab00e824f2f04d52c
Instruction ID: a06b5a3b4c400a46b71bddafab982a0d7d8c78dde5699adfa1b86ea3e34ec21d
Opcode Fuzzy Hash: 0b9751a25fe114cf999ca8920466ed1d5b777d2b73bfce7ab00e824f2f04d52c
Instruction Fuzzy Hash: 7161E6B1A0520D9BDB04DF14C981ABABBB0AB45714B247015FE0AFB2D2DB36DD41EB53

Function 00F173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F17421
SetTextColor.GDI32(?,?), ref: 00F17425
GetSysColorBrush.USER32(0000000F), ref: 00F1743B
GetSysColor.USER32(0000000F), ref: 00F17446
CreateSolidBrush.GDI32(?), ref: 00F1744B
GetSysColor.USER32(00000011), ref: 00F17463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
SelectObject.GDI32(?,00000000), ref: 00F17482
SetBkColor.GDI32(?,00000000), ref: 00F1748B
SelectObject.GDI32(?,?), ref: 00F17498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F1752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F17554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F17572
DrawFocusRect.USER32(?,?), ref: 00F1757D
GetSysColor.USER32(00000011), ref: 00F1758E
SetTextColor.GDI32(?,00000000), ref: 00F17596
DrawTextW.USER32(?,00F170F5,000000FF,?,00000000), ref: 00F175A8
SelectObject.GDI32(?,?), ref: 00F175BF
DeleteObject.GDI32(?), ref: 00F175CA
SelectObject.GDI32(?,?), ref: 00F175D0
DeleteObject.GDI32(?), ref: 00F175D5
SetTextColor.GDI32(?,?), ref: 00F175DB
SetBkColor.GDI32(?,?), ref: 00F175E5

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 388869f11363665b7631acead295c0b2c473540a7ea079efb7e4d8b089c91748
Instruction ID: cdbf0abcdbc58a3db01a3c73cd6e580fd89d9c71554e5a0c8d9377eaa3bf9345
Opcode Fuzzy Hash: 388869f11363665b7631acead295c0b2c473540a7ea079efb7e4d8b089c91748
Instruction Fuzzy Hash: F7615C72D44218BFDF019FA4DC49AEEBFB9EB08320F158115F915BB2A1D7719940EB90

Function 00F10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F11128
GetDesktopWindow.USER32 ref: 00F1113D
GetWindowRect.USER32(00000000), ref: 00F11144
GetWindowLongW.USER32(?,000000F0), ref: 00F11199
DestroyWindow.USER32(?), ref: 00F111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F1120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F1121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F11232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F11245
IsWindowVisible.USER32(00000000), ref: 00F112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F112D0
GetWindowRect.USER32(00000000,?), ref: 00F112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F1130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F11328
CopyRect.USER32(?,?), ref: 00F1133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F113AA

Strings

0, xrefs: 00F110D3
(, xrefs: 00F1131B
tooltips_class32, xrefs: 00F111E6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction ID: bf683c02e1915530f34a85d730cefe7ece555aa4914eada41d3c6e1539989696
Opcode Fuzzy Hash: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction Fuzzy Hash: 42B16F71A04341AFD714DF64C885BAABBE5FF88750F00891CFA9DAB2A1C771D844DB91

Function 00F10241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F102E5
_wcslen.LIBCMT ref: 00F1031F
_wcslen.LIBCMT ref: 00F10389
_wcslen.LIBCMT ref: 00F103F1
_wcslen.LIBCMT ref: 00F10475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F10504

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

Part of subcall function 00EE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE2258
Part of subcall function 00EE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE228A

Strings

SELECTINVERT, xrefs: 00F1057E
SELECTCLEAR, xrefs: 00F1052D
GETSELECTED, xrefs: 00F105E1
SELECT, xrefs: 00F10548
GETSUBITEMCOUNT, xrefs: 00F10384, 00F1039F
ISSELECTED, xrefs: 00F104DD
GETSELECTEDCOUNT, xrefs: 00F10470, 00F1048B
DESELECT, xrefs: 00F1059C
VIEWCHANGE, xrefs: 00F10675
FINDITEM, xrefs: 00F10627
GETTEXT, xrefs: 00F103EC, 00F10407
SELECTALL, xrefs: 00F10515
GETITEMCOUNT, xrefs: 00F10316, 00F10337

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e03303ba653923cddae26042181af491fc90b01a3d8ed91623908f0b80e10cbe
Instruction ID: e41f1cde0b568e681448e399dfd96b7b50ae6c4846da604968ab2d270964b068
Opcode Fuzzy Hash: e03303ba653923cddae26042181af491fc90b01a3d8ed91623908f0b80e10cbe
Instruction Fuzzy Hash: 8AE1B2316083418FC714EF24C59096AB7E6BFC8724F14496DF89AAB2A1DB70EDC5EB41

Function 00E98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E98968
GetSystemMetrics.USER32(00000007), ref: 00E98970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E9899B
GetSystemMetrics.USER32(00000008), ref: 00E989A3
GetSystemMetrics.USER32(00000004), ref: 00E989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E98A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E98A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E98A5A
GetStockObject.GDI32(00000011), ref: 00E98A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E98A81

Part of subcall function 00E9912D: GetCursorPos.USER32(?), ref: 00E99141
Part of subcall function 00E9912D: ScreenToClient.USER32(00000000,?), ref: 00E9915E
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000001), ref: 00E99183
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000002), ref: 00E9919D

SetTimer.USER32(00000000,00000000,00000028,00E990FC), ref: 00E98AA8

Strings

AutoIt v3 GUI, xrefs: 00E98A20

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b409fe80966ac7ad1d533e55c78838703bcab16c9bb481bd6a98f93248d8c976
Instruction ID: 0f850a8c1a684748289678ea149977c8dfeb178d167652a6f66328da7dac70a2
Opcode Fuzzy Hash: b409fe80966ac7ad1d533e55c78838703bcab16c9bb481bd6a98f93248d8c976
Instruction Fuzzy Hash: 73B18C31A402099FDF14DFA8CD45BEE3BB5FB48315F11522AFA15AB2A0DB74E841DB90

Function 00EE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0E29
GetLengthSid.ADVAPI32(?), ref: 00EE0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0E96
GetLengthSid.ADVAPI32(?), ref: 00EE0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EE0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0EDD
CopySid.ADVAPI32(00000000), ref: 00EE0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F6E
HeapFree.KERNEL32(00000000), ref: 00EE0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F7E
HeapFree.KERNEL32(00000000), ref: 00EE0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F8E
HeapFree.KERNEL32(00000000), ref: 00EE0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0FA1
HeapFree.KERNEL32(00000000), ref: 00EE0FA8

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction ID: aac8de64b3d74f253462dd9912c77dccc816422c4701a4393be23e2c033fa14e
Opcode Fuzzy Hash: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction Fuzzy Hash: 72717B72A4024EABDF209FA6DC44BEEBBB8BF08304F058115F959F6191D7709E55CBA0

Function 00F0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F1CC08,00000000,?,00000000,?,?), ref: 00F0C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F0C5A4
_wcslen.LIBCMT ref: 00F0C5F4
_wcslen.LIBCMT ref: 00F0C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F0C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F0C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F0C84D
RegCloseKey.ADVAPI32(?), ref: 00F0C881
RegCloseKey.ADVAPI32(00000000), ref: 00F0C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F0C960

Strings

REG_EXPAND_SZ, xrefs: 00F0C5CD
REG_DWORD, xrefs: 00F0C804
REG_QWORD, xrefs: 00F0C8C3
REG_MULTI_SZ, xrefs: 00F0C6F5
REG_SZ, xrefs: 00F0C644
REG_BINARY, xrefs: 00F0C913

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 20e5357c49ace432baf643dac619d60f99bb71b6e967dbace93cac24180712f2
Instruction ID: 4576173ac8d5c82f432a0fc919ac9d5ecbe0f51ed466067f0081f925557769e4
Opcode Fuzzy Hash: 20e5357c49ace432baf643dac619d60f99bb71b6e967dbace93cac24180712f2
Instruction Fuzzy Hash: 48126A356042019FD714EF14C881A2AB7E5FF88724F19895CF89EAB3A2DB31ED41DB91

Function 00F1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F109C6
_wcslen.LIBCMT ref: 00F10A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F10A54
_wcslen.LIBCMT ref: 00F10A8A
_wcslen.LIBCMT ref: 00F10B06
_wcslen.LIBCMT ref: 00F10B81

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

Part of subcall function 00EE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EE2BFA

Strings

ISCHECKED, xrefs: 00F10CE1
COLLAPSE, xrefs: 00F10B01, 00F10B1C
CHECK, xrefs: 00F10A85, 00F10AA0
EXISTS, xrefs: 00F10B7C, 00F10B97
EXPAND, xrefs: 00F10BF8
GETSELECTED, xrefs: 00F10C4E
GETTEXT, xrefs: 00F10C97
SELECT, xrefs: 00F10D11
GETTOTALCOUNT, xrefs: 00F109F2, 00F10A17
UNCHECK, xrefs: 00F10D3E
GETITEMCOUNT, xrefs: 00F10C1E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction ID: 56a5e9542fae7b6f196ab5b8e0680aed2d98f47f95d21df4f185352ba2d4894e
Opcode Fuzzy Hash: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction Fuzzy Hash: E7E1AD326083419FC714EF24C45096AB7E2BFD8314B14895CF89AAB3A2DB71EDC5DB91

Function 00F0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
_wcslen.LIBCMT ref: 00F0C9F1
_wcslen.LIBCMT ref: 00F0CA68
_wcslen.LIBCMT ref: 00F0CA9E
_wcslen.LIBCMT ref: 00F0CAF9
_wcslen.LIBCMT ref: 00F0CB2F
_wcslen.LIBCMT ref: 00F0CB7F

Strings

HKEY_CURRENT_USER, xrefs: 00F0CBBD
HKCR, xrefs: 00F0CB29, 00F0CB2E
HKCC, xrefs: 00F0CBAC
HKEY_LOCAL_MACHINE, xrefs: 00F0CA62, 00F0CA67
HKLM, xrefs: 00F0CA98, 00F0CA9D
HKEY_CLASSES_ROOT, xrefs: 00F0CAF3, 00F0CAF8
HKCU, xrefs: 00F0CBCE
HKEY_USERS, xrefs: 00F0CBDF
HKU, xrefs: 00F0CBF0
HKEY_CURRENT_CONFIG, xrefs: 00F0CB79, 00F0CB7E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction ID: c9f651fdb2e4794d7d0f69c3b3ba2478a3a07fa7546187f49953fba17498f485
Opcode Fuzzy Hash: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction Fuzzy Hash: D5710473A0016A8BCB20EF6CCC516BB3791ABA1760B654724FC56AB2C5E734DD44B3E0

Function 00F1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1835A
_wcslen.LIBCMT ref: 00F1836E
_wcslen.LIBCMT ref: 00F18391
_wcslen.LIBCMT ref: 00F183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F15BF2), ref: 00F1844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18501
FreeLibrary.KERNEL32(?), ref: 00F1850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1851D
DestroyIcon.USER32(?,?,?,?,?,00F15BF2), ref: 00F1852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F18549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F18555

Strings

.exe, xrefs: 00F18388
.dll, xrefs: 00F183AB
.icl, xrefs: 00F18368

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction ID: 832693c603a1e862b37c3ff45812b26cb7c56d2d79c5642f6ce0c477bc356519
Opcode Fuzzy Hash: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction Fuzzy Hash: 1A61D171940209BAEB14DF64CD41BFE77A8FF48761F108609F815EA0D1DFB4A991E7A0

Function 00E87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00EC5153
#cs, xrefs: 00E87873, 00E878C5
#requireadmin, xrefs: 00E877FF
#comments-end, xrefs: 00E878D9
#include-once, xrefs: 00E8782F
#comments-start, xrefs: 00E8785F, 00E878B1
Unterminated group of comments, xrefs: 00EC528C
Bad directive syntax error, xrefs: 00EC519A
Cannot parse #include, xrefs: 00EC5279
#OnAutoItStartRegister, xrefs: 00E87817
#include, xrefs: 00E87847
#pragma compile, xrefs: 00E877D3
', xrefs: 00EC5169
#notrayicon, xrefs: 00E877E7
#ce, xrefs: 00E878ED

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c2199e38b4fa9cf84ed92fa887bd16c66352fec3e3d86f0d65a875559fe18cc7
Instruction ID: 0dd8919f1db7979dcd660e1e2706312f124f963039a23bf3363d85203c6849c2
Opcode Fuzzy Hash: c2199e38b4fa9cf84ed92fa887bd16c66352fec3e3d86f0d65a875559fe18cc7
Instruction Fuzzy Hash: 9281F271A44605ABDB20BF60CD42FEE77F8AF15300F146029F84CBA196EB72E951D7A1

Function 00EF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EF3EF8
_wcslen.LIBCMT ref: 00EF3F03
_wcslen.LIBCMT ref: 00EF3F5A
_wcslen.LIBCMT ref: 00EF3F98
GetDriveTypeW.KERNEL32(?), ref: 00EF3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4087

Strings

close, xrefs: 00EF3EFE, 00EF3F18
open , xrefs: 00EF3FE5
close cd wait, xrefs: 00EF4072
set cd door , xrefs: 00EF4028
open, xrefs: 00EF3F54, 00EF3F59
closed, xrefs: 00EF3F08, 00EF3F2D, 00EF3F46, 00EF3F7E, 00EF3F97
wait, xrefs: 00EF4044
type cdaudio alias cd wait, xrefs: 00EF4001

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2cb7494908bd3797df91a6f1577bde06825df8db6de23ccfd81855c986a1a1f1
Instruction ID: 607196999970730444681aecae85de1b6d958f4d4471371eef7ab22bb52980d7
Opcode Fuzzy Hash: 2cb7494908bd3797df91a6f1577bde06825df8db6de23ccfd81855c986a1a1f1
Instruction Fuzzy Hash: F37190726042069FC310EF34C8818BBB7E4EF95758F10592DFA99A7291EB31DE45CB52

Function 00EE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EE5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EE5A40
SetWindowTextW.USER32(?,?), ref: 00EE5A57
GetDlgItem.USER32(?,000003EA), ref: 00EE5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EE5A72
GetDlgItem.USER32(?,000003E9), ref: 00EE5A82
SetWindowTextW.USER32(00000000,?), ref: 00EE5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EE5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EE5AC3
GetWindowRect.USER32(?,?), ref: 00EE5ACC
_wcslen.LIBCMT ref: 00EE5B33
SetWindowTextW.USER32(?,?), ref: 00EE5B6F
GetDesktopWindow.USER32 ref: 00EE5B75
GetWindowRect.USER32(00000000), ref: 00EE5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EE5BD3
GetClientRect.USER32(?,?), ref: 00EE5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EE5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EE5C2F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction ID: 4dd6764e77ca8b2561ac5130962f2b1dcfeaa62bcfa0f5c5fa60e6fc6a59e4aa
Opcode Fuzzy Hash: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction Fuzzy Hash: 37717C32900B49AFDB20DFA9CE85AAEBBF5FF48708F105518E146B35A0D775E940DB50

Function 00EFFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EFFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EFFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EFFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EFFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EFFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EFFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EFFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EFFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EFFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EFFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EFFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EFFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EFFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EFFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EFFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EFFECC
GetCursorInfo.USER32(?), ref: 00EFFEDC
GetLastError.KERNEL32 ref: 00EFFF1E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 132fb26792f48d75e872350874598aa19194c65f9639decc52dc2c5974a813c2
Instruction ID: 6becfde4e5a8b7fca9c351c2d5d7dd4dd4c261748e18c2af697adc32a7996e9e
Opcode Fuzzy Hash: 132fb26792f48d75e872350874598aa19194c65f9639decc52dc2c5974a813c2
Instruction Fuzzy Hash: CD4154B0E443196ADB109FBA8C8586EBFE8FF04354B54852AE11DE7281DB789901CF91

Function 00EA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EA00C6

Part of subcall function 00EA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F5070C,00000FA0,F6612CBC,?,?,?,?,00EC23B3,000000FF), ref: 00EA011C
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0127
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0138
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EA014E
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EA015C
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EA016A
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA0195
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA01A0

___scrt_fastfail.LIBCMT ref: 00EA00E7

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

Strings

InitializeConditionVariable, xrefs: 00EA0148
SleepConditionVariableCS, xrefs: 00EA0154
WakeAllConditionVariable, xrefs: 00EA0162
kernel32.dll, xrefs: 00EA0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EA0122

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction ID: edc2012803edf273d4f751db3280fdd1f84e65f8e0e1db0d74293c126e911e57
Opcode Fuzzy Hash: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction Fuzzy Hash: 7B212632A857156BE7105B64BC46BEA37E4EB0EB61F01512AFD01FB291DF60E800AA91

Function 00EE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE318D
_wcslen.LIBCMT ref: 00EE31F8

Strings

INSTANCE, xrefs: 00EE3453
CLASS, xrefs: 00EE3188, 00EE31A5
TEXT, xrefs: 00EE347C
REGEXPCLASS, xrefs: 00EE3255, 00EE3266
CLASSNN, xrefs: 00EE31F3, 00EE3204
NAME, xrefs: 00EE3335, 00EE3346

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction ID: 0666854599ba77fa66e6620aa9160e5e1763e9284115f90b109af9fe1e1d8280
Opcode Fuzzy Hash: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction Fuzzy Hash: 5EE13A31A0055AABCB18DFB5C449BEEFBB0FF44714F54A129E466F7281DB30AE858790

Function 00EF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F1CC08), ref: 00EF4527
_wcslen.LIBCMT ref: 00EF453B
_wcslen.LIBCMT ref: 00EF4599
_wcslen.LIBCMT ref: 00EF45F4
_wcslen.LIBCMT ref: 00EF463F
_wcslen.LIBCMT ref: 00EF46A7

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

GetDriveTypeW.KERNEL32(?,00F46BF0,00000061), ref: 00EF4743

Strings

network, xrefs: 00EF469D, 00EF46A2
cdrom, xrefs: 00EF458F, 00EF4594
removable, xrefs: 00EF45EA, 00EF45EF
all, xrefs: 00EF4531, 00EF4536
ramdisk, xrefs: 00EF46F1
unknown, xrefs: 00EF4708
fixed, xrefs: 00EF4635, 00EF463A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction ID: 0796e59135ab7fbe18b9f646085574d58d1b7f7dd6aac9c0063d99ada643b2af
Opcode Fuzzy Hash: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction Fuzzy Hash: 04B123B16083069BC710EF28C89097BB7E4AFD6724F50691DF69AE72D1D730D944CB52

Function 00F03FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F1CC08), ref: 00F040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00F1CC08), ref: 00F040F2
FreeLibrary.KERNEL32(00000000,?,00F1CC08), ref: 00F0413E
StringFromGUID2.OLE32(?,?,00000028,?,00F1CC08), ref: 00F041A8
SysFreeString.OLEAUT32(00000009), ref: 00F04262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F042C8
SysFreeString.OLEAUT32(?), ref: 00F042F2

Strings

GetModuleHandleExW, xrefs: 00F040C7
kernel32.dll, xrefs: 00F040B6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 921a126b1c311a7d949b4291864d086e8269e36c8a00f8c1e47110c3c1881ee3
Instruction ID: 86d5e85acd20e1d14a5dcf573862239939930445511d7a48513e13eed42ff574
Opcode Fuzzy Hash: 921a126b1c311a7d949b4291864d086e8269e36c8a00f8c1e47110c3c1881ee3
Instruction Fuzzy Hash: 1E123CB5A00119EFDB14DF54C884EAEB7B5FF45314F248098EA05AB291D731FD46EBA0

Function 00E8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F51990), ref: 00EC2F8D
GetMenuItemCount.USER32(00F51990), ref: 00EC303D
GetCursorPos.USER32(?), ref: 00EC3081
SetForegroundWindow.USER32(00000000), ref: 00EC308A
TrackPopupMenuEx.USER32(00F51990,00000000,?,00000000,00000000,00000000), ref: 00EC309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EC30A9

Strings

0, xrefs: 00E8327D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction ID: 7361cdbfdab9a4f5a182631032c92c89dd92f5b655ad84c545f429f38a346883
Opcode Fuzzy Hash: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction Fuzzy Hash: CC711A71644249BEEB219F28CD49FDABF69FF05724F20421EF618761E0C7B2A911D790

Function 00F16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00F16DEB

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F16E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F16E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16E94
DestroyWindow.USER32(?), ref: 00F16EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E80000,00000000), ref: 00F16EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16EFD
GetDesktopWindow.USER32 ref: 00F16F16
GetWindowRect.USER32(00000000), ref: 00F16F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F16F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F16F4D

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

Strings

0, xrefs: 00F16D98
tooltips_class32, xrefs: 00F16E58, 00F16EDD

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction ID: 409871da581dc3a9bfe09e268741608a3a00f4c48861acb16e96ef4318a9ed97
Opcode Fuzzy Hash: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction Fuzzy Hash: 3D718670644348AFEB21CF18D848BAABBE9FB88314F04451DF999C7260D770E946EF52

Function 00F1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DragQueryPoint.SHELL32(?,?), ref: 00F19147

Part of subcall function 00F17674: ClientToScreen.USER32(?,?), ref: 00F1769A
Part of subcall function 00F17674: GetWindowRect.USER32(?,?), ref: 00F17710
Part of subcall function 00F17674: PtInRect.USER32(?,?,00F18B89), ref: 00F17720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F19225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F1923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19277
DragFinish.SHELL32(?), ref: 00F1927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F19371

Strings

@GUI_DROPID, xrefs: 00F1929E
@GUI_DRAGFILE, xrefs: 00F19320
@GUI_DRAGID, xrefs: 00F192E9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction ID: ccf13c29ba4d2d31158e7f46158bbc40577a65b1722473807741359a2a2d89ce
Opcode Fuzzy Hash: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction Fuzzy Hash: 8861AC71108305AFD701EF60DC95DAFBBE8EF89350F04092EF599A31A1DB709A48DB92

Function 00EFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EFC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EFC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EFC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC5F0
InternetCloseHandle.WININET(00000000), ref: 00EFC5FB

Strings

, xrefs: 00EFC575

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction ID: 554f4cdda617792b0b815191ee9674bf7b7be9d0792175788398363035f4bb04
Opcode Fuzzy Hash: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction Fuzzy Hash: 84514EB154020DBFDB218F60CA48ABB7BFCFF08758F209419FA45A6150DB74E944EBA0

Function 00F1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00F18592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185BA
GlobalLock.KERNEL32(00000000), ref: 00F185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185D7
GlobalUnlock.KERNEL32(00000000), ref: 00F185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00F1FC38,?), ref: 00F18611
GlobalFree.KERNEL32(00000000), ref: 00F18621
GetObjectW.GDI32(?,00000018,?), ref: 00F18641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F18671
DeleteObject.GDI32(?), ref: 00F18699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F186AF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction ID: df1dde1c9ccefc2827b136aaf460e4c568556cf94e43706bdea0295a116ba91a
Opcode Fuzzy Hash: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction Fuzzy Hash: 42413971640208AFDB118FA5CD48EEA7BB9EF89761F158058F909E7260DB309D41EB60

Function 00EF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EF1502
VariantCopy.OLEAUT32(?,?), ref: 00EF150B
VariantClear.OLEAUT32(?), ref: 00EF1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EF15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EF1657
VariantInit.OLEAUT32(?), ref: 00EF1708
SysFreeString.OLEAUT32(?), ref: 00EF178C
VariantClear.OLEAUT32(?), ref: 00EF17D8
VariantClear.OLEAUT32(?), ref: 00EF17E7
VariantInit.OLEAUT32(00000000), ref: 00EF1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EF1625
Default, xrefs: 00EF16AF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b10b2bd4209e4391566ec1f0a95cec0019d3b7bb13bcaad38668908ba11f814a
Instruction ID: aa88a01a2d0c7a1d62eaedd215342d4a3250c2a361726398768639696b2c0b8b
Opcode Fuzzy Hash: b10b2bd4209e4391566ec1f0a95cec0019d3b7bb13bcaad38668908ba11f814a
Instruction Fuzzy Hash: 30D1D031A0421DDBDF04AF65D885BB9B7F6BF45700F14909AEA4ABB181DB30DC41DBA2

Function 00F0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F0B80A
RegCloseKey.ADVAPI32(?), ref: 00F0B87E
RegCloseKey.ADVAPI32(?), ref: 00F0B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F0B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0B922
FreeLibrary.KERNEL32(00000000), ref: 00F0B983
RegCloseKey.ADVAPI32(00000000), ref: 00F0B994

Strings

RegDeleteKeyExW, xrefs: 00F0B8FE
advapi32.dll, xrefs: 00F0B8ED

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction ID: bf7c59b1931484d0ce6533eef08b60179bda2e1d0d3beb64579ce846fd28b8a1
Opcode Fuzzy Hash: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction Fuzzy Hash: 41C1AD31608201AFD714DF14C494F2ABBE5FF84318F18859CF59A9B2A2CB75EC46EB91

Function 00F0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F025E8
CreateCompatibleDC.GDI32(?), ref: 00F025F4
SelectObject.GDI32(00000000,?), ref: 00F02601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F0266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F026D0
SelectObject.GDI32(?,?), ref: 00F026D8
DeleteObject.GDI32(?), ref: 00F026E1
DeleteDC.GDI32(?), ref: 00F026E8
ReleaseDC.USER32(00000000,?), ref: 00F026F3

Strings

(, xrefs: 00F0268D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bc551c059187009ff7f6780805309b572d850ca1c80bd0490922b2165f688551
Instruction ID: e75d547ca76ecbb5ab1cc844e2a3ef0161dcc3ea0be15a3cceb5056602503c70
Opcode Fuzzy Hash: bc551c059187009ff7f6780805309b572d850ca1c80bd0490922b2165f688551
Instruction Fuzzy Hash: FE61D275D00219EFCF04CFA4DC84AAEBBB5FF48310F248529E959A7250D775A941EFA0

Function 00EBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EBDAA1

Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD659
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD66B
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD67D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD68F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6A1
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6B3
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6C5
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6D7
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6E9
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6FB
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD70D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD71F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD731

_free.LIBCMT ref: 00EBDA96

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBDAB8
_free.LIBCMT ref: 00EBDACD
_free.LIBCMT ref: 00EBDAD8
_free.LIBCMT ref: 00EBDAFA
_free.LIBCMT ref: 00EBDB0D
_free.LIBCMT ref: 00EBDB1B
_free.LIBCMT ref: 00EBDB26
_free.LIBCMT ref: 00EBDB5E
_free.LIBCMT ref: 00EBDB65
_free.LIBCMT ref: 00EBDB82
_free.LIBCMT ref: 00EBDB9A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ece94b988cee1c1ac0ca4d5f44834684ea241796837c9a8419ea9dd936b0c7e1
Instruction ID: cb69b2dff3487c4c8bb0b8f9fdab21ffc1bf143fee6eb52e029d5616423c5323
Opcode Fuzzy Hash: ece94b988cee1c1ac0ca4d5f44834684ea241796837c9a8419ea9dd936b0c7e1
Instruction Fuzzy Hash: A3316D31608704AFEB22AA38EC85BD7B7E8FF40314F156819E548F7191EF31AC408720

Function 00EE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EE369C
_wcslen.LIBCMT ref: 00EE36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EE3797
GetClassNameW.USER32(?,?,00000400), ref: 00EE380C
GetDlgCtrlID.USER32(?), ref: 00EE385D
GetWindowRect.USER32(?,?), ref: 00EE3882
GetParent.USER32(?), ref: 00EE38A0
ScreenToClient.USER32(00000000), ref: 00EE38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EE3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EE395D

Strings

%s%u, xrefs: 00EE3734

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction ID: 589c05424b8c5bddd15046319e1e904b205b1b2150225e07af058e09cc2a6f54
Opcode Fuzzy Hash: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction Fuzzy Hash: 9B91D27120064AAFD708DF36C889BEAB7E8FF84314F009519F999E3191DB31EA45CB91

Function 00EE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EE4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EE49DA
_wcslen.LIBCMT ref: 00EE49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EE49F7
_wcsstr.LIBVCRUNTIME ref: 00EE4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EE4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EE4B20
GetWindowRect.USER32(?,?), ref: 00EE4B8B

Strings

ThumbnailClass, xrefs: 00EE4A6F, 00EE4AF1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction ID: 3dade7433127bb047e73be435848defe56e682f6496fb588042019fc0048216d
Opcode Fuzzy Hash: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction Fuzzy Hash: 6391A4B10042499FDB04DF16C985BAA77E8FF84318F049469FD89AA0D6EB34ED45CBA1

Function 00F18D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F18D5A
GetFocus.USER32 ref: 00F18D6A
GetDlgCtrlID.USER32(00000000), ref: 00F18D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00F18E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F18ECF
GetMenuItemCount.USER32(?), ref: 00F18EEC
GetMenuItemID.USER32(?,00000000), ref: 00F18EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F18F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F18F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F18FA1

Strings

0, xrefs: 00F18E9F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 336a6749114f46f2689cdde411c5b23183300fa84858166b112c9ba25a45998f
Instruction ID: 542fbe6fd7c219199c54cfcc0ba7b10255c26abfd2a55a1bd088f5f9497b8c97
Opcode Fuzzy Hash: 336a6749114f46f2689cdde411c5b23183300fa84858166b112c9ba25a45998f
Instruction Fuzzy Hash: 8881B2719043059FDB10CF14D984AEB7BEAFB883A4F14051DF985D7291DB30D982EBA1

Function 00EEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EEDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EEDC46
_wcslen.LIBCMT ref: 00EEDC50
_wcsstr.LIBVCRUNTIME ref: 00EEDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EEDCBC

Strings

DefaultLangCodepage, xrefs: 00EEDD1F
04090000, xrefs: 00EEDCF2
%u.%u.%u.%u, xrefs: 00EEDD9A
StringFileInfo\, xrefs: 00EEDC8F
\VarFileInfo\Translation, xrefs: 00EEDCB4

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6a9f53681e52962c32719676542342c08252bcaf535c6932b7e1b0e56e093447
Instruction ID: a4d2dd8506643ac13efada799c54111c8797ac26b86b742325a59b76a2758d28
Opcode Fuzzy Hash: 6a9f53681e52962c32719676542342c08252bcaf535c6932b7e1b0e56e093447
Instruction Fuzzy Hash: BA413472A442087ADB00A7658C47EFF7BECEF46760F101169F900FA193EB70E90097A6

Function 00F0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F0CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD48

Part of subcall function 00F0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F0CCAA
Part of subcall function 00F0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F0CCBD
Part of subcall function 00F0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0CCCF
Part of subcall function 00F0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD05
Part of subcall function 00F0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0CCF3

Strings

RegDeleteKeyExW, xrefs: 00F0CCC9
advapi32.dll, xrefs: 00F0CCB8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction ID: 06d76154d3b4cf39562af43eff1b00df2cef3b748ba71819da497c0b52b6aa18
Opcode Fuzzy Hash: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction Fuzzy Hash: 92317C71E4212CBBDB209B50DC88EFFBB7CEF05750F014265E915E2280DB349A45BAE0

Function 00EF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EF3D40
_wcslen.LIBCMT ref: 00EF3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EF3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EF3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EF3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EF3E55
CloseHandle.KERNEL32(00000000), ref: 00EF3E60
CloseHandle.KERNEL32(00000000), ref: 00EF3E6B

Strings

\??\%s, xrefs: 00EF3D5B
:, xrefs: 00EF3D82
\, xrefs: 00EF3D77

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction ID: 7e780797bfc33b306351743cee9a7bb5ca6b4ada26d129f1b7f755bc89be4867
Opcode Fuzzy Hash: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction Fuzzy Hash: 6F31A17194025DABDB209FA0DC49FEF37BDEF89744F1050A9F605E6060EB7097448B64

Function 00EEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EEE6B4

Part of subcall function 00E9E551: timeGetTime.WINMM(?,?,00EEE6D4), ref: 00E9E555

Sleep.KERNEL32(0000000A), ref: 00EEE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EEE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EEE727
SetActiveWindow.USER32 ref: 00EEE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EEE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EEE773
Sleep.KERNEL32(000000FA), ref: 00EEE77E
IsWindow.USER32 ref: 00EEE78A
EndDialog.USER32(00000000), ref: 00EEE79B

Strings

BUTTON, xrefs: 00EEE719

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction ID: d34c1bc952492fd4ee07f9740ff74e540eecb4ffada131b67abff97863c017ea
Opcode Fuzzy Hash: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction Fuzzy Hash: E521A87024038DAFEB005F32EC89B653B69F75674EF116425F609A22B1DB71AC01BB55

Function 00EEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EEEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EEEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EEEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EEEAA7

Strings

status PlayMe mode, xrefs: 00EEEA58
open , xrefs: 00EEEA0C
play PlayMe wait, xrefs: 00EEEA91
close PlayMe, xrefs: 00EEEA6E, 00EEEA9B
play PlayMe, xrefs: 00EEEAA2
alias PlayMe, xrefs: 00EEEA36

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction ID: 92c6a11c2e2bfcdb92517d1da7b31e42bea7feffc1f8561e2759f5342b1921c1
Opcode Fuzzy Hash: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction Fuzzy Hash: 41114271A5025979D720B762DC4ADFB7ABCEBD2B04F001429B819F21D1EAB04945C6B2

Function 00EE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EE5CE2
GetWindowRect.USER32(00000000,?), ref: 00EE5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EE5D59
GetDlgItem.USER32(?,00000002), ref: 00EE5D69
GetWindowRect.USER32(00000000,?), ref: 00EE5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EE5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EE5DDD
GetWindowRect.USER32(00000000,?), ref: 00EE5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EE5E31
GetDlgItem.USER32(?,000003EA), ref: 00EE5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EE5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EE5E67

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction ID: 9c4fca5011ebf02ebf04154111ad8ed9525578d1d76685b4adaba6186c5d0c1e
Opcode Fuzzy Hash: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction Fuzzy Hash: 37512F71B40609AFDF18CF69DD89AAEBBB5FB48314F158129F519E7290D7709E00CB90

Function 00E98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E98BE8,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98FC5

DestroyWindow.USER32(?), ref: 00E98C81
KillTimer.USER32(00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00ED6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000), ref: 00ED69D4
DeleteObject.GDI32(00000000), ref: 00ED69E6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction ID: 5409aa8d43f43e10cab98db0a91874c280b7eac288908625c354fbd53927932a
Opcode Fuzzy Hash: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction Fuzzy Hash: 7C619C30502708DFDF259F14CA58B69B7F1FB4131AF14A51AE182AB6B0CB71BD81EB91

Function 00E99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetSysColor.USER32(0000000F), ref: 00E99862

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction ID: dd223bab938b471153a013caa64386ebd4f2f369545820670178058f462b9a7b
Opcode Fuzzy Hash: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction Fuzzy Hash: EE41BF31140604AFDF345B3C9C84BB93BA5EB06324F15560EE9A2A72E2E7319C42EB51

Function 00EB8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00EB903A, 00EB8FD0, 00EB8FF2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: f9b334fdd812e33d495bbfc44ac487132fdfa62ff573b2ac54f4a1a234e90e70
Instruction ID: b20468182793d2102172766b4e9e337ac9a1dbf3537024f7e6a116adfc2efae3
Opcode Fuzzy Hash: f9b334fdd812e33d495bbfc44ac487132fdfa62ff573b2ac54f4a1a234e90e70
Instruction Fuzzy Hash: 5CC1E474A04249AFDB11EFA8D841BEEBBF4AF49314F185159F614BB393CB309941CB61

Function 00EE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EE9717
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9720

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EE9742
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EE9866

Strings

^ ERROR, xrefs: 00EE97FB
%s (%d) : ==> %s: %s %s, xrefs: 00EE984A
Error: , xrefs: 00EE981D
Line %d (File "%s"):, xrefs: 00EE978F
Line %d:, xrefs: 00EE97A0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 652c58e47360255eebc5a8ee17c8dbcfc9d238989a9ae514a0f40d311fe6c5cd
Instruction ID: 7b1c9a7588c3f81e56ee3cd16a294936fddc735fa90882f37f72ae0d21be44d9
Opcode Fuzzy Hash: 652c58e47360255eebc5a8ee17c8dbcfc9d238989a9ae514a0f40d311fe6c5cd
Instruction Fuzzy Hash: 57414D7290024DAACF04FBE0DD46DEEB7B8AF55740F141065F609B2092EB356F49DBA1

Function 00EE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EE07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EE07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EE07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EE0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EE082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE083C

Strings

SOFTWARE\Classes\, xrefs: 00EE070E
\CLSID, xrefs: 00EE0724
\IPC$, xrefs: 00EE0784

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction ID: c3007cd0acde4d131b158d4b13c581614fe5022d8c8fdb4401f8fe3fe51bd3fa
Opcode Fuzzy Hash: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction Fuzzy Hash: C3412672C1022DABDF15FBA4DC858EDB7B8BF04754B05512AE909B3161EB749E44CBA0

Function 00F13F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F1403B
CreateCompatibleDC.GDI32(00000000), ref: 00F14042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F14055
SelectObject.GDI32(00000000,00000000), ref: 00F1405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F14068
DeleteDC.GDI32(00000000), ref: 00F14072
GetWindowLongW.USER32(?,000000EC), ref: 00F1407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00F14092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00F1409E

Strings

static, xrefs: 00F13FD3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b96b197e79493b71b3072ae025ed334a2156f73264f7f6151daee65870b6006a
Instruction ID: 90d79e43f04ba5b12888a7aad4d5cc192c2543441a77bb1f23fe49a7c4b9e0bd
Opcode Fuzzy Hash: b96b197e79493b71b3072ae025ed334a2156f73264f7f6151daee65870b6006a
Instruction Fuzzy Hash: BB316E32541219BBDF219FA4DC09FDA3B69FF0D360F124211FA18E61A0C775D861EBA4

Function 00F03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F03C5C
CoInitialize.OLE32(00000000), ref: 00F03C8A
CoUninitialize.OLE32 ref: 00F03C94
_wcslen.LIBCMT ref: 00F03D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F03DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F03ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F03F0E
CoGetObject.OLE32(?,00000000,00F1FB98,?), ref: 00F03F2D
SetErrorMode.KERNEL32(00000000), ref: 00F03F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F03FC4
VariantClear.OLEAUT32(?), ref: 00F03FD8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction ID: 7eae4e635aceccf00a35f5ca5c495e2c11253a823f972fac83540498a9b84f30
Opcode Fuzzy Hash: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction Fuzzy Hash: 17C15671A083059FD700DF68C88492BBBE9FF89754F00491DF98A9B291D731EE05EB92

Function 00EF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EF7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EF7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EF7BA3
CoCreateInstance.OLE32(00F1FD08,00000000,00000001,00F46E6C,?), ref: 00EF7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EF7C74
CoTaskMemFree.OLE32(?,?), ref: 00EF7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EF7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EF7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EF7D81
CoTaskMemFree.OLE32(00000000), ref: 00EF7DD6
CoUninitialize.OLE32 ref: 00EF7DDC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f35b8d8abed8075c099dba959560b1b13267bdd41c99f6f79333263de3c6e697
Instruction ID: cf53b48ae2c8a952e13f1d3a9d6b50f3f61a20b34fc156f1d284b09cc1474ca8
Opcode Fuzzy Hash: f35b8d8abed8075c099dba959560b1b13267bdd41c99f6f79333263de3c6e697
Instruction Fuzzy Hash: BFC14B75A04109AFCB14DFA4C884DAEBBF9FF49304B149498E95AEB361D731EE41CB90

Function 00F1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F15504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F15515
CharNextW.USER32(00000158), ref: 00F15544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F15585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F1559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F155AC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction ID: e2fac1761c1310ecb3c5ae657368f4abe8844929ff0da7e27fa133d0a1f73c87
Opcode Fuzzy Hash: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction Fuzzy Hash: 7461B031900608EFDF10DF50CC94AFE3BB9EB89B35F108145F925AA290D7748AC0EBA1

Function 00EDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EDFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00EDFB08
VariantInit.OLEAUT32(?), ref: 00EDFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EDFB3A
VariantCopy.OLEAUT32(?,?), ref: 00EDFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EDFBA1
VariantClear.OLEAUT32(?), ref: 00EDFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EDFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBCC
VariantClear.OLEAUT32(?), ref: 00EDFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBE9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction ID: 3e00e63a7b968abbd52a3baef460e10655d0e59689d94bd7afd87a38396396e3
Opcode Fuzzy Hash: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction Fuzzy Hash: 05416235A04219DFDF04DFA4D8549EDBBB9FF08344F01906AE946A7361C730A946CFA0

Function 00EE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EE9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EE9D22
GetKeyState.USER32(000000A0), ref: 00EE9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EE9D57
GetKeyState.USER32(000000A1), ref: 00EE9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EE9D84
GetKeyState.USER32(00000011), ref: 00EE9D96
GetAsyncKeyState.USER32(00000012), ref: 00EE9DAE
GetKeyState.USER32(00000012), ref: 00EE9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EE9DD8
GetKeyState.USER32(0000005B), ref: 00EE9DEA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction ID: 9fd22c762e4ac96c35ad72fda0a98476f9f0793b0f9c97de6bd2eebe9baf0785
Opcode Fuzzy Hash: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction Fuzzy Hash: 8441D5345047DD69FF34966288043F5FEE16B1134CF08A05ADAC66A5C3DBA599C8C7A2

Function 00F0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F005BC
inet_addr.WSOCK32(?), ref: 00F0061C
gethostbyname.WSOCK32(?), ref: 00F00628
IcmpCreateFile.IPHLPAPI ref: 00F00636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F007B9
WSACleanup.WSOCK32 ref: 00F007BF

Strings

Ping, xrefs: 00F00676

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fceb795f7d8f6a5c6752d4be8ef0c12b3176176e37c5e9f9d2258f55e46fe964
Instruction ID: 2573323ff0aea23ea7dda9fd25c8bd0c778506c45438566d58eadee70c64d0fb
Opcode Fuzzy Hash: fceb795f7d8f6a5c6752d4be8ef0c12b3176176e37c5e9f9d2258f55e46fe964
Instruction Fuzzy Hash: 2591C235A042019FD720DF15C888F1ABBE1AF45328F1885A9F4699B7A2CB34FD41EF91

Function 00F08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F08CF3

Part of subcall function 00EE8E54: _wcslen.LIBCMT ref: 00EE8E77

_wcslen.LIBCMT ref: 00F08D4E
_wcslen.LIBCMT ref: 00F08D9C
_wcslen.LIBCMT ref: 00F08DDC
_wcslen.LIBCMT ref: 00F08E6E

Strings

stdcall, xrefs: 00F08DD6, 00F08DDB
cdecl, xrefs: 00F08D48, 00F08D4D
winapi, xrefs: 00F08D96, 00F08D9B
none, xrefs: 00F08E65, 00F08E6A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction ID: 107aae7f8fa5fbd68ae5101ea62fa8837304074c3bd088f94ea78775c836321a
Opcode Fuzzy Hash: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction Fuzzy Hash: 7E51B431E005169BCF14DFA8C9405BEB7E5BF65360B254229E89AE72C5DB30DD41F790

Function 00F0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F03774
CoUninitialize.OLE32 ref: 00F0377F
CoCreateInstance.OLE32(?,00000000,00000017,00F1FB78,?), ref: 00F037D9
IIDFromString.OLE32(?,?), ref: 00F0384C
VariantInit.OLEAUT32(?), ref: 00F038E4
VariantClear.OLEAUT32(?), ref: 00F03936

Strings

Invalid parameter, xrefs: 00F03865
Failed to create object, xrefs: 00F037E4, 00F0389A
NULL Pointer assignment, xrefs: 00F0381E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 68847103cb5be1bc186e90ca255536241e39985f3c95b82132ac2604d2384248
Instruction ID: 7d203c5de864816c6e44be6af9aa5942b03d0c82120d932edf3a24c5682d5ca7
Opcode Fuzzy Hash: 68847103cb5be1bc186e90ca255536241e39985f3c95b82132ac2604d2384248
Instruction Fuzzy Hash: 2961B072608301AFD310DF54C888F6ABBE8EF49710F104949F985AB2D1D770EE48EB92

Function 00EF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EF33CF

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EF33F0

Strings

Error: , xrefs: 00EF34D1
Incorrect parameters to object property !, xrefs: 00EF34AB
"%s" (%d) : ==> %s:, xrefs: 00EF3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3504
Line %d (File "%s"):, xrefs: 00EF3443, 00EF345C
^ ERROR , xrefs: 00EF349E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 74e009ce21910a7a264bde0802804b58b0797df7f8bf9c17d8d6178eb7e8966d
Instruction ID: 63b0b3272715781a9ce94cb76562ec3b760c3a0a8cbb3b06da11ca9889dd3198
Opcode Fuzzy Hash: 74e009ce21910a7a264bde0802804b58b0797df7f8bf9c17d8d6178eb7e8966d
Instruction Fuzzy Hash: 94518B71D0020AAADF15FBE0CD46EFEB7B9AF04740F245065F509B20A2EB256F58DB61

Function 00EEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EEB5FC
_wcslen.LIBCMT ref: 00EEB608
_wcslen.LIBCMT ref: 00EEB64D
_wcslen.LIBCMT ref: 00EEB68C
_wcslen.LIBCMT ref: 00EEB6C7

Strings

REMOVE, xrefs: 00EEB602, 00EEB607
EXISTS, xrefs: 00EEB686, 00EEB68B
KEYS, xrefs: 00EEB647, 00EEB64C
APPEND, xrefs: 00EEB6C1, 00EEB6C6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction ID: 99345bd97da0aefa4990c35bf4debc256be792597ec25f336d78acae5aacfce7
Opcode Fuzzy Hash: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction Fuzzy Hash: A541DD72A0016B9BCB105F7EC8905BF77A5AFA1758B245129E465FB284F731CD81C790

Function 00EF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EF5416
GetLastError.KERNEL32 ref: 00EF5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EF54A7

Strings

READY, xrefs: 00EF5460, 00EF5468
UNKNOWN, xrefs: 00EF5444
NOTREADY, xrefs: 00EF544B
INVALID, xrefs: 00EF5459
READONLY, xrefs: 00EF5452

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction ID: 528f3120e2bc03c9d63fd1032e6618f4845f537237692c0319628406aff92c51
Opcode Fuzzy Hash: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction Fuzzy Hash: 7A31B536A005099FD710DF68C484AF9BBF4EF15309F149056EA16EB292D731DD82CBA1

Function 00F13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F13C79
SetMenu.USER32(?,00000000), ref: 00F13C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13D10
IsMenu.USER32(?), ref: 00F13D24
CreatePopupMenu.USER32 ref: 00F13D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13D5B
DrawMenuBar.USER32 ref: 00F13D63

Strings

F, xrefs: 00F13D4E
0, xrefs: 00F13C54

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction ID: fece29bd83db75fd547cd6937fe988f18ec02388940fff7a455bd2af40c69e42
Opcode Fuzzy Hash: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction Fuzzy Hash: 4E416879A01209AFDB14CF64E844BEA7BB6FF49354F144029EA46A7360D770AA10EB94

Function 00EE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EE1F64
GetDlgCtrlID.USER32 ref: 00EE1F6F
GetParent.USER32 ref: 00EE1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1F8E
GetDlgCtrlID.USER32(?), ref: 00EE1F97
GetParent.USER32(?), ref: 00EE1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1FAE

Strings

ComboBox, xrefs: 00EE1EEC
ListBox, xrefs: 00EE1F21

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction ID: cab6c30531c2c06c10f34076bce74ed099ff7b39cd04ec5895ac90557026f544
Opcode Fuzzy Hash: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction Fuzzy Hash: F421B070E40218BFCF04AFA1CC95DFEBBB8EF05310B105155B96977292DB399948DBA0

Function 00EE1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EE2043
GetDlgCtrlID.USER32 ref: 00EE204E
GetParent.USER32 ref: 00EE206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE206D
GetDlgCtrlID.USER32(?), ref: 00EE2076
GetParent.USER32(?), ref: 00EE208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE208D

Strings

ComboBox, xrefs: 00EE1FCD
ListBox, xrefs: 00EE2002

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e26e9a742604a19231112b2caa10305a0e4c8b7b8df1068d70eac76fe20052fe
Instruction ID: c6ab1094085b4dfeeefbec6169d10f1504679a01c395c4a35d2307078b161060
Opcode Fuzzy Hash: e26e9a742604a19231112b2caa10305a0e4c8b7b8df1068d70eac76fe20052fe
Instruction Fuzzy Hash: FF21D171D40218BFCF15AFA1CC85EFEBBB8EF09300F105005B959B71A2DA798914EB60

Function 00F13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F13A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F13AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F13AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F13AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F13B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F13BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F13BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F13BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F13BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F13C13

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction ID: e3cb1e1e3af52112ce7ba6faf92b7b3517e977a45dc8edfe505301ae04393729
Opcode Fuzzy Hash: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction Fuzzy Hash: DD618A75A00248AFDB10DFA8CC81FEE77F8EB49710F104099FA15A72A1D774AE85EB50

Function 00EEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EEB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB165
GetWindowThreadProcessId.USER32(00000000), ref: 00EEB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EEB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB21D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b59627b86fbeb130438dc50cdcc036069ecd9455dd12103c3384e4e8d55ed61a
Instruction ID: 035401eb02a3f13a2a866d634ae53d1dffa574d72c4bb934fd25e062a4c4cef0
Opcode Fuzzy Hash: b59627b86fbeb130438dc50cdcc036069ecd9455dd12103c3384e4e8d55ed61a
Instruction Fuzzy Hash: 8B31CE7554034CBFDB109F2ADC48BAF7BA9BF5435AF119004FB04E61A0D7B49A009FA4

Function 00EB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB2C94

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB2CA0
_free.LIBCMT ref: 00EB2CAB
_free.LIBCMT ref: 00EB2CB6
_free.LIBCMT ref: 00EB2CC1
_free.LIBCMT ref: 00EB2CCC
_free.LIBCMT ref: 00EB2CD7
_free.LIBCMT ref: 00EB2CE2
_free.LIBCMT ref: 00EB2CED
_free.LIBCMT ref: 00EB2CFB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 16bf2d0648d33846a952f3c6b01b14ea63274378ad9443da0af611d922437b5c
Instruction ID: 7b743ac391e0ff3df73cc629b8362886047f8e18ffe957e77af4b7d337f37b29
Opcode Fuzzy Hash: 16bf2d0648d33846a952f3c6b01b14ea63274378ad9443da0af611d922437b5c
Instruction Fuzzy Hash: DF117476500108BFCB02EF54D982CDE3BA5FF49350F5159A9FA48AF222DA31EE509B90

Function 00EF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EF7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EF8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF80B0

Strings

*.*, xrefs: 00EF8066

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0f47527053b270bcd3e9fffb7af9bd53a65ef98f86e4846f37711cb37626077d
Instruction ID: 6e3f59ee597647687d66d5263f1fb61c20985313a578e2557dbafffbe00e9783
Opcode Fuzzy Hash: 0f47527053b270bcd3e9fffb7af9bd53a65ef98f86e4846f37711cb37626077d
Instruction Fuzzy Hash: 1881D1725082099BDB20EF14C8449BEB3E8BF89318F54685EFAC9E7250EB34DD45CB52

Function 00E85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E85C7A

Part of subcall function 00E85D0A: GetClientRect.USER32(?,?), ref: 00E85D30
Part of subcall function 00E85D0A: GetWindowRect.USER32(?,?), ref: 00E85D71
Part of subcall function 00E85D0A: ScreenToClient.USER32(?,?), ref: 00E85D99

GetDC.USER32 ref: 00EC46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EC4708
SelectObject.GDI32(00000000,00000000), ref: 00EC4716
SelectObject.GDI32(00000000,00000000), ref: 00EC472B
ReleaseDC.USER32(?,00000000), ref: 00EC4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EC47C4

Strings

U, xrefs: 00EC4693

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction ID: 6323038511778019afdc18bc709b034b2193a13e8a777e0f821854a8d3adc6b8
Opcode Fuzzy Hash: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction Fuzzy Hash: 8571D171400209DFCF219F64CA94FEA7BB1FF46318F14626AED596A1A6C7329842DF50

Function 00EF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EF35E4

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00F52390,?,00000FFF,?), ref: 00EF360A

Strings

^ ERROR, xrefs: 00EF36C9
Error: , xrefs: 00EF36EF
"%s" (%d) : ==> %s:, xrefs: 00EF3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3724
Line %d (File "%s"):, xrefs: 00EF366B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1b04a672ef0235b3484ed58bfbb8e418335c38217569e40a685d77617ff67c60
Instruction ID: 8778be548c4df85369126ad3a3507e2d691e1ba7599fc7bc9916ab5859d58c7b
Opcode Fuzzy Hash: 1b04a672ef0235b3484ed58bfbb8e418335c38217569e40a685d77617ff67c60
Instruction Fuzzy Hash: 29513E71D00209AADF15FBA0DC42EFEBBB4AF04704F146125F609721A2EB356B95DBA1

Function 00F18B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

Part of subcall function 00E9912D: GetCursorPos.USER32(?), ref: 00E99141
Part of subcall function 00E9912D: ScreenToClient.USER32(00000000,?), ref: 00E9915E
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000001), ref: 00E99183
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000002), ref: 00E9919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00F18B6B
ImageList_EndDrag.COMCTL32 ref: 00F18B71
ReleaseCapture.USER32 ref: 00F18B77
SetWindowTextW.USER32(?,00000000), ref: 00F18C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F18C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00F18CFF

Strings

@GUI_DROPID, xrefs: 00F18C51
@GUI_DRAGFILE, xrefs: 00F18C9A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 59f31cd1d81fbf41ac4c36d17dc8f33b983ef093705d79251bb8b116faf11eb7
Instruction ID: e825f2bd1b51379e8f59450408b68af3313755e069a8d757b65d9cd675382055
Opcode Fuzzy Hash: 59f31cd1d81fbf41ac4c36d17dc8f33b983ef093705d79251bb8b116faf11eb7
Instruction Fuzzy Hash: 5951BE70504304AFD700EF14DC56BAA77E4FB88751F04062DF95AA72E2CB30A944EBA2

Function 00EFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC2CA
GetLastError.KERNEL32 ref: 00EFC322
SetEvent.KERNEL32(?), ref: 00EFC336
InternetCloseHandle.WININET(00000000), ref: 00EFC341

Strings

, xrefs: 00EFC2BB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction ID: ffab49baf1452239b0a7e997a4b815bad17bccc6f7734371200d19dadcc61cb4
Opcode Fuzzy Hash: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction Fuzzy Hash: F731BFB160160CAFD7219F648E88ABB7BFCEB49784F34951EF546A2200DB30DD059BA0

Function 00EE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EC3AAF,?,?,Bad directive syntax error,00F1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EE98BC
LoadStringW.USER32(00000000,?,00EC3AAF,?), ref: 00EE98C3

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EE9987

Strings

., xrefs: 00EE996D
%s (%d) : ==> %s.: %s %s, xrefs: 00EE98F1
Line %d (File "%s"):, xrefs: 00EE992D
Line %d:, xrefs: 00EE9912
Error: , xrefs: 00EE9955

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction ID: 41fe636feabd483e7bafa58975cd4318019ef0a83132b60222db573fa76f8129
Opcode Fuzzy Hash: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction Fuzzy Hash: F7218D31D4025EABCF15AF90CC06EEE77B5BF18700F045429F519720A2EB369618DB51

Function 00EE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EE20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EE20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EE214D

Strings

list, xrefs: 00EE212F
smallicons, xrefs: 00EE2115
details, xrefs: 00EE20FB
largeicons, xrefs: 00EE20E1
SHELLDLL_DefView, xrefs: 00EE20CC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction ID: f02af724245bcec6b153a52a70656a350479fc706a0b2e4aafdbfe27a5631f79
Opcode Fuzzy Hash: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction Fuzzy Hash: 07112C766C470EBAF6013A21DC07DE637DCCB49728B20201AFB04B90E2FEB1A9016555

Function 00EBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EBCEB7
_free.LIBCMT ref: 00EBCF22
_free.LIBCMT ref: 00EBCF48
_free.LIBCMT ref: 00EBCF71
_free.LIBCMT ref: 00EBCFA9
_free.LIBCMT ref: 00EBCFDA
_free.LIBCMT ref: 00EBD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EBD09C
_free.LIBCMT ref: 00EBD0B5

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 176712d94db984d6b12aca9e0e475149fbc9688077862c4d7b5670ef22258955
Instruction ID: b8cf40785291db921f68d670909bfa01431b08195e19451824f014210d9c9d8e
Opcode Fuzzy Hash: 176712d94db984d6b12aca9e0e475149fbc9688077862c4d7b5670ef22258955
Instruction Fuzzy Hash: 32616A71A08304AFDF21AFB49C81AFB7BE6EF05324F2451ADFA44B7281EA319D019750

Function 00F150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F15186
ShowWindow.USER32(?,00000000), ref: 00F151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F151D1

Part of subcall function 00F16FBA: DeleteObject.GDI32(00000000), ref: 00F16FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F1520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F1521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F1524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F15287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F15296

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction ID: adf3a7565b2fc687ef2ec97972573e9fcb459b1cc04b82a1d3f704f20fba006c
Opcode Fuzzy Hash: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction Fuzzy Hash: F651B432A50A08FEEF219F64CC45BD83B65FB85B21F148115F615A62E1C7B5A9C0FF40

Function 00E98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00ED6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00ED68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ED68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00ED68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ED68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ED691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED692D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction ID: 8ef36cdf8359450b57c0b1035ae01c8c4c72220a47012f24130e8068a5178c40
Opcode Fuzzy Hash: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction Fuzzy Hash: 6B518874600209EFDF24CF24CC55FAA7BB6FB48354F145519FA46A72A0EB70E991EB80

Function 00EFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC182
GetLastError.KERNEL32 ref: 00EFC195
SetEvent.KERNEL32(?), ref: 00EFC1A9

Part of subcall function 00EFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
Part of subcall function 00EFC253: GetLastError.KERNEL32 ref: 00EFC322
Part of subcall function 00EFC253: SetEvent.KERNEL32(?), ref: 00EFC336
Part of subcall function 00EFC253: InternetCloseHandle.WININET(00000000), ref: 00EFC341

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction ID: 346529988c9bb43d1bab77124032545192a4308bb8e6284b77fc916638b0ea88
Opcode Fuzzy Hash: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction Fuzzy Hash: EC31A471240A0DAFEB219FA5DE44AB67BF8FF14300B30941DF65692620D730D814EBA0

Function 00EE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EE25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EE25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EE2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EE2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EE2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EE2627

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction ID: 8f7823f2cb78a7ccd05330ed627fd1bead2726a88ffc0b2cba4abbc62f87fb7f
Opcode Fuzzy Hash: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction Fuzzy Hash: 3101D8303D0358BBFB10676A9C8EF997F99DB4EB11F115015F318BF0D1C9E114449AA9

Function 00EE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EE1449,?,?,00000000), ref: 00EE180C
HeapAlloc.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EE1449,?,?,00000000), ref: 00EE1830
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1843
GetCurrentProcess.KERNEL32(00EE1449,00000000,?,00EE1449,?,?,00000000), ref: 00EE184B
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE184E
CreateThread.KERNEL32(00000000,00000000,00EE1874,00000000,00000000,00000000), ref: 00EE1868

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction ID: 61f99da41efbe8c21e0c269615f441bc6ec60d61e58860279ddad4d27a494938
Opcode Fuzzy Hash: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction Fuzzy Hash: 2701BFB52C0348BFE710AB65DC4DF977B6CEB89B11F018411FA05DB192C6709800DB60

Function 00EB3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EB3F0B
__alldvrm.LIBCMT ref: 00EB410C
__alldvrm.LIBCMT ref: 00EB412E

Strings

}}, xrefs: 00EB3E8A
}}, xrefs: 00EB40CD
}}, xrefs: 00EB3E96, 00EB3EF1, 00EB3F0A, 00EB4090

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1987bea809140b77a8af8bba7ad2daeddb054942d9ecac8270a97aaaa4422c74
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9CA178B1E013869FDB22DF28C8927FFBBE5EF62354F1451ADE585AB282C2348941C751

Function 00F0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Part of subcall function 00EED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Part of subcall function 00EED4DC: CloseHandle.KERNELBASE(00000000), ref: 00EED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A16D
GetLastError.KERNEL32 ref: 00F0A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F0A268
GetLastError.KERNEL32(00000000), ref: 00F0A273
CloseHandle.KERNEL32(00000000), ref: 00F0A2C4

Strings

SeDebugPrivilege, xrefs: 00F0A18F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: acbd9b3a7926cb45ab88518c7df5272fdd2881f79ca3f2bd429422444f275b6c
Instruction ID: f0a2c34a8358fc09725b7cd38226c0a57e5be0109c5e32a1c150a79f3f6e4a21
Opcode Fuzzy Hash: acbd9b3a7926cb45ab88518c7df5272fdd2881f79ca3f2bd429422444f275b6c
Instruction Fuzzy Hash: BF618C31604342AFD710DF14C494F16BBE1AF44318F19849CE46A9B7A3C772EC45EB92

Function 00F13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F13925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F1393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F13954
_wcslen.LIBCMT ref: 00F13999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F139F4

Strings

SysListView32, xrefs: 00F138F7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction ID: 4b750d961e90a8a32da2e6e602b9a850fc338d3c2f86f1ae8496a64c68f14694
Opcode Fuzzy Hash: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction Fuzzy Hash: 1F41A171A00319ABEF219F64CC45BEA7BA9EF08360F100526F958E7281D775DE84EB90

Function 00EEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEBCFD
IsMenu.USER32(00000000), ref: 00EEBD1D
CreatePopupMenu.USER32 ref: 00EEBD53
GetMenuItemCount.USER32(01104BA8), ref: 00EEBDA4
InsertMenuItemW.USER32(01104BA8,?,00000001,00000030), ref: 00EEBDCC

Strings

0, xrefs: 00EEBCA8
2, xrefs: 00EEBD37

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction ID: 61099c117b045e326acf1ef04ac4f5793992d95323df9b801a4679b99b9dfc65
Opcode Fuzzy Hash: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction Fuzzy Hash: F7519C70A0028D9BDB20CFAADC84BEFBBF9AF45318F249219E411F7290D7709945CB61

Function 00EA2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EA2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00EA2D53
_ValidateLocalCookies.LIBCMT ref: 00EA2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00EA2E0C
_ValidateLocalCookies.LIBCMT ref: 00EA2E61

Strings

&H, xrefs: 00EA2DFE, 00EA2E07, 00EA2E18
csm, xrefs: 00EA2DF6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction ID: 3783d7bbf119b33640efb5c2dc6a0c57d5f91f150a6928422b00798670d85234
Opcode Fuzzy Hash: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction Fuzzy Hash: 4A41A334A00209ABCF14DF6CC845A9EBBE5BF4A328F149159E914BF292D735FA01CBD0

Function 00EEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EEC913

Strings

info, xrefs: 00EEC8B4
stop, xrefs: 00EEC8E4
warning, xrefs: 00EEC8FC
question, xrefs: 00EEC8CC
blank, xrefs: 00EEC895

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction ID: aa5c5e350c13978f140406cd5f96f9ce8fa6c4d6f79b2252cfc90c890b30a01d
Opcode Fuzzy Hash: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction Fuzzy Hash: 38112E3168934EBAA70457559C82CDE77DCDF56318B30202AF904F61C3E7B5AD026269

Function 00EEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EEDE42
gethostname.WSOCK32(?,00000100), ref: 00EEDE5C
gethostbyname.WSOCK32(?), ref: 00EEDE69
inet_ntoa.WSOCK32(?), ref: 00EEDEAB
_strcat.LIBCMT ref: 00EEDEB9
WSACleanup.WSOCK32 ref: 00EEDEDE

Strings

0.0.0.0, xrefs: 00EEDE87

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5a7cd77b2faad7a42736cdd4cf4788202eb3dcb6225602a742b6e15cc8cc81d0
Instruction ID: d2482e160189f2059447f1cf0b2d0d7825b0563171e40337c270dc82a91d6104
Opcode Fuzzy Hash: 5a7cd77b2faad7a42736cdd4cf4788202eb3dcb6225602a742b6e15cc8cc81d0
Instruction Fuzzy Hash: 8611367190810DAFCB20AB61DC4AEEF37FCDF55724F011169F405FA0A1EFB19A809A90

Function 00F19F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetSystemMetrics.USER32(0000000F), ref: 00F19FC7
GetSystemMetrics.USER32(0000000F), ref: 00F19FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F1A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F1A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F1A263
ShowWindow.USER32(00000003,00000000), ref: 00F1A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00F1A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F1A2CA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8e12958f27fcbfa85a699af954d346d3e91036a4c1c4d8ab15b64a15784bb80b
Instruction ID: be1e4daa949a2d81613519f05584397398c1fcc9ce180edb0db31f887294f1ed
Opcode Fuzzy Hash: 8e12958f27fcbfa85a699af954d346d3e91036a4c1c4d8ab15b64a15784bb80b
Instruction Fuzzy Hash: E1B1A931A01219EFDF14CF68C9857EE7BF2BF48711F098069EC49AB295D731A980EB51

Function 00EEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EEED2A
_wcslen.LIBCMT ref: 00EEED3B
_wcslen.LIBCMT ref: 00EEED79
_wcslen.LIBCMT ref: 00EEEDAF
_wcslen.LIBCMT ref: 00EEEDDF
_wcslen.LIBCMT ref: 00EEEDEF
_wcslen.LIBCMT ref: 00EEEE2B
_wcslen.LIBCMT ref: 00EEEE5A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction ID: 192ba5e825bf757571434ecb7d559cfac7de911135092bee22a5e332b1cee4bd
Opcode Fuzzy Hash: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction Fuzzy Hash: 18419065C10258A5CB11EBF48C8AACFB7ECAF4A310F50A462E514F7271EB34E255C3A5

Function 00E9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00E9F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF454

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction ID: f6255a1416fcff949fb158ac90b87d4c1bd8ab50f507c560afa32623499a5712
Opcode Fuzzy Hash: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction Fuzzy Hash: F2413F31604640BECF38CB68C8887AA7BD2ABD6318F15B43DE047F6661C671E481D750

Function 00F12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F12D1B
GetDC.USER32(00000000), ref: 00F12D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F12D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F12D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F12D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F12D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F12DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F12DE1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction ID: e955908cbc2b11ed6b785e04a20754c98ecd721c84f014b285c8d152ecf152f9
Opcode Fuzzy Hash: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction Fuzzy Hash: D5319C72241214BFEB118F50DC8AFEB3BA9EF09721F058055FE08DA291C6759C50DBA4

Function 00EE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5637
_memcmp.LIBVCRUNTIME ref: 00EE5659
_memcmp.LIBVCRUNTIME ref: 00EE5671
_memcmp.LIBVCRUNTIME ref: 00EE5684
_memcmp.LIBVCRUNTIME ref: 00EE569E
_memcmp.LIBVCRUNTIME ref: 00EE56B1
_memcmp.LIBVCRUNTIME ref: 00EE56C9
_memcmp.LIBVCRUNTIME ref: 00EE56E4

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction ID: 078a83958ea5301dc4536aa2a731fbca18a96bbe54a3bdd576b13613f5b51460
Opcode Fuzzy Hash: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction Fuzzy Hash: 9721AA73640A4E77D6149A125D92FFB339CAF1538CF441021FD057E581F760EE1895E6

Function 00F04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F05007
NULL Pointer assignment, xrefs: 00F0502E, 00F05383

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 878e5785ddb533c91df92be4997972c02c5def96956da4699c2e8cdb86cb1c7f
Instruction ID: 1a80b7d4adc93c944f8230fde1182b917f3fe5b1ced1ebffab3fe5a350706f2b
Opcode Fuzzy Hash: 878e5785ddb533c91df92be4997972c02c5def96956da4699c2e8cdb86cb1c7f
Instruction Fuzzy Hash: 93D1B175E0060A9FDF10CFA8C881BAEB7B5BF48754F148069E915AB281E7B0DD45EF90

Function 00EC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00EC15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00EC17FB,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC16FB

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC1777
__freea.LIBCMT ref: 00EC17A2
__freea.LIBCMT ref: 00EC17AE

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction ID: f33a92574accaf7bd319a735197e6642d8a7e903bd258da3e9e9f2840f60b5b3
Opcode Fuzzy Hash: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction Fuzzy Hash: A7919371E002169ADB208E64CA51FEE7BF5AF4B714F18659EE801F7182D736DC4287A0

Function 00F04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F04648
VariantInit.OLEAUT32(?), ref: 00F04749
VariantClear.OLEAUT32(?), ref: 00F04753
VariantClear.OLEAUT32(?), ref: 00F047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F045D8, 00F04706, 00F047BE
Incorrect Object type in FOR..IN loop, xrefs: 00F0472C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ba44e3cc01619f7b2ca9cf0336c7050047536faae7359180b0df2669f9fd5576
Instruction ID: 81ef30a1325581e1ed3d18fce45788d66a363b48b6bf7982ffba2814e564fb6c
Opcode Fuzzy Hash: ba44e3cc01619f7b2ca9cf0336c7050047536faae7359180b0df2669f9fd5576
Instruction Fuzzy Hash: E29174B1E00215ABDF20CF95CC44FAEBBB8EF45714F108559F605AB281D770A945EFA0

Function 00EF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EF125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EF1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EF12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF1430

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cac65ae4eb3950db6c4dc73dcdaae4184bf57495122623396b7dd27dc7668a2e
Instruction ID: 3d964d8fd176ce35efbc991c48e50dd2da6cd175567daaed1c71b6ed5a7983f2
Opcode Fuzzy Hash: cac65ae4eb3950db6c4dc73dcdaae4184bf57495122623396b7dd27dc7668a2e
Instruction Fuzzy Hash: 68919A71A0020DDFEB009F94C884BBEB7B5EF45324F11A0A9EA50FB2A1D774A941DB90

Function 00E9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction ID: 700f85501ed2a2394ceffa8591d6220cfa401da33f6307a84fe7f1f869de7404
Opcode Fuzzy Hash: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction Fuzzy Hash: 54913671D40219EFCF10CFA9C884AEEBBB8FF49320F159059E515B7252D374A942DBA0

Function 00F03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F0396B
CharUpperBuffW.USER32(?,?), ref: 00F03A7A
_wcslen.LIBCMT ref: 00F03A8A
VariantClear.OLEAUT32(?), ref: 00F03C1F

Part of subcall function 00EF0CDF: VariantInit.OLEAUT32(00000000), ref: 00EF0D1F
Part of subcall function 00EF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EF0D28
Part of subcall function 00EF0CDF: VariantClear.OLEAUT32(?), ref: 00EF0D34

Strings

Incorrect Parameter format, xrefs: 00F039A6, 00F03BA1
AUTOIT.ERROR, xrefs: 00F03A80, 00F03A85

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 917ce234fd264b23fd2d7ecb3a86d4ae38456015afa4895544cf9d57130d9344
Instruction ID: 64e71a677c5c30e15c9fdf363c1c9686ae4c6e61a765e708da0b3ab2a879c700
Opcode Fuzzy Hash: 917ce234fd264b23fd2d7ecb3a86d4ae38456015afa4895544cf9d57130d9344
Instruction Fuzzy Hash: B7917F75A083059FC704EF24C48096AB7E9FF89314F14892DF889A7391DB31EE45EB92

Function 00F04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
Part of subcall function 00EE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
Part of subcall function 00EE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
Part of subcall function 00EE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F04C51
_wcslen.LIBCMT ref: 00F04D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F04DCF
CoTaskMemFree.OLE32(?), ref: 00F04DDA

Strings

NULL Pointer assignment, xrefs: 00F04E23, 00F04E52

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction ID: d1931ef86ff89a9605e22bc825066027405fa28806bdf90282cd3c9fe420bd13
Opcode Fuzzy Hash: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction Fuzzy Hash: 23912BB1D0021D9FDF14EFA4D891AEDB7B8BF48310F108169E919B7291DB74AA44DF60

Function 00F120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F12183
GetMenuItemCount.USER32(00000000), ref: 00F121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F121DD
_wcslen.LIBCMT ref: 00F12213
GetMenuItemID.USER32(?,?), ref: 00F1224D
GetSubMenu.USER32(?,?), ref: 00F1225B

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F122E3

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6f23d2183e97e89f8524fbd898b94d32be5ee3cbc315e46a878c7998e902b69f
Instruction ID: 66368d474d5a0fc2b0d514c6178db050842f6b9e3d793fe36e8b62d8af76632c
Opcode Fuzzy Hash: 6f23d2183e97e89f8524fbd898b94d32be5ee3cbc315e46a878c7998e902b69f
Instruction Fuzzy Hash: DD717D75E00205AFDB54EFA8C845AEEB7F1EF88320F148459E91AFB341D734A9919B90

Function 00F17E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01104CE8), ref: 00F17F37
IsWindowEnabled.USER32(01104CE8), ref: 00F17F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F1801E
SendMessageW.USER32(01104CE8,000000B0,?,?), ref: 00F18051
IsDlgButtonChecked.USER32(?,?), ref: 00F18089
GetWindowLongW.USER32(01104CE8,000000EC), ref: 00F180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F180C3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction ID: 3750300b6fc0288724d12cbba3b4a7c7bace5deff971ea824ae887dcb2ed3783
Opcode Fuzzy Hash: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction Fuzzy Hash: 1071A035A08348AFEB25AF64CC84FEB7BB5FF09350F144059E95957261CB31A886FB90

Function 00EEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EEAEF9
GetKeyboardState.USER32(?), ref: 00EEAF0E
SetKeyboardState.USER32(?), ref: 00EEAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EEAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EEAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EEAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EEB020

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction ID: 3e567c1bc97cc8439e0c2fade17d9b3d288509d22aac00e86bb6fd9ee3e53939
Opcode Fuzzy Hash: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction Fuzzy Hash: 3F51CEA06046D97DFB368336C845BBBBEE95B06308F0C949DE1D9658D2C398A8C8D791

Function 00EEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EEAD19
GetKeyboardState.USER32(?), ref: 00EEAD2E
SetKeyboardState.USER32(?), ref: 00EEAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EEADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EEADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EEAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EEAE38

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction ID: 7dd7c651bf03b37f073eeb2b06b016b8eadc08cb6d4bd79cbc6c85a497cd8ee6
Opcode Fuzzy Hash: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction Fuzzy Hash: 4F51E5A05047D93DFB3282268C95BBA7ED95F45308F0C949CE1D9668D2D294FCC8D752

Function 00EB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EC3CD6,?,?,?,?,?,?,?,?,00EB5BA3,?,?,00EC3CD6,?,?), ref: 00EB5470
__fassign.LIBCMT ref: 00EB54EB
__fassign.LIBCMT ref: 00EB5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EC3CD6,00000005,00000000,00000000), ref: 00EB552C
WriteFile.KERNEL32(?,00EC3CD6,00000000,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB554B
WriteFile.KERNEL32(?,?,00000001,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB5584

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction ID: b46957b36a532399b2873862ac03510d63664c5a226ef0a2bccf05ddd4d25fa4
Opcode Fuzzy Hash: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction Fuzzy Hash: 7351B071A00649AFDB20CFA8D845BEEBBF9EF09301F14511AE955F7291D6309A41CF60

Function 00F010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F01112
WSAGetLastError.WSOCK32 ref: 00F01121
WSAGetLastError.WSOCK32 ref: 00F011C9
closesocket.WSOCK32(00000000), ref: 00F011F9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction ID: 5c6f1927f355c44ba0663c633d6629892cf4035b8cfe76129cb6cbdac94d6e34
Opcode Fuzzy Hash: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction Fuzzy Hash: C741C131600208AFDB149F14C884BAABBE9FF45328F158059F919AB2D1C774ED41EBE1

Function 00EECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

lstrcmpiW.KERNEL32(?,?), ref: 00EECF45
MoveFileW.KERNEL32(?,?), ref: 00EECF7F
_wcslen.LIBCMT ref: 00EED005
_wcslen.LIBCMT ref: 00EED01B
SHFileOperationW.SHELL32(?), ref: 00EED061

Strings

\*.*, xrefs: 00EECFF3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction ID: 8815888be68f83a1db54ed6bbff9f425f2c3624c5649e952691e6c60e9a8a219
Opcode Fuzzy Hash: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction Fuzzy Hash: 0B41747194525C5FDF12EBA5CD81ADEB7F9AF08380F1410E6E509FB142EA34A689CB50

Function 00F12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F12E1C
GetWindowLongW.USER32(?,000000F0), ref: 00F12E4F
GetWindowLongW.USER32(?,000000F0), ref: 00F12E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F12EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F12EE0
GetWindowLongW.USER32(?,000000F0), ref: 00F12EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F12F0B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction ID: 5e0dea8937bb0a7b0042ebed65de18e0b52abc987beb656cdb1eb2211b29005e
Opcode Fuzzy Hash: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction Fuzzy Hash: 3A311731A442589FEB61CF98DC94FA537E1FB4A721F154164FA148F2B1CB71ACA0EB41

Function 00EE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE778F
SysAllocString.OLEAUT32(00000000), ref: 00EE7792
SysAllocString.OLEAUT32(?), ref: 00EE77B0
SysFreeString.OLEAUT32(?), ref: 00EE77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE77DE
SysAllocString.OLEAUT32(?), ref: 00EE77EC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c2e19683a336bd64f8f4b4fb8bb0daa2b97e716b0444b391705857a5cd73fec1
Instruction ID: d836b2c33920e97f5a504dfdc01097fe568e1a2ecc01b16683cf0237dde63383
Opcode Fuzzy Hash: c2e19683a336bd64f8f4b4fb8bb0daa2b97e716b0444b391705857a5cd73fec1
Instruction Fuzzy Hash: 36217C7660821DAFDB10DFA9CC88CFB77ACEB097647058026FA55EB150D6709C8287A0

Function 00EE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7868
SysAllocString.OLEAUT32(00000000), ref: 00EE786B
SysAllocString.OLEAUT32 ref: 00EE788C
SysFreeString.OLEAUT32 ref: 00EE7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE78AF
SysAllocString.OLEAUT32(?), ref: 00EE78BD

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 38312d7777095db94b7cd7d3f870a1cebd16861ef9f72f0d07611505b5eaca35
Instruction ID: 5ddd88c80a11ca1a4bb4fb109135781a4b28715a2654c98a70a3f9772d31f0cb
Opcode Fuzzy Hash: 38312d7777095db94b7cd7d3f870a1cebd16861ef9f72f0d07611505b5eaca35
Instruction Fuzzy Hash: ED21C171608228AFDF149FA9CC88DAA77ECEB183607108025F954DB2A0D670DC41DB68

Function 00EF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EF04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF052E

Strings

nul, xrefs: 00EF0567

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction ID: 2f39b02cffc122c9e5a3b6ccf63b721538e7a6469357305af8d7630ec61f1f45
Opcode Fuzzy Hash: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction Fuzzy Hash: 25215175500309ABDB309F69D844AAA77A4AF44728F204A19E9A1E61E1E7B0D940DF60

Function 00EF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF0601

Strings

nul, xrefs: 00EF0639

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction ID: efc4f995fc8a0a9ea679330f58f8b1087be58973d8e0aa629c4c63323009ef12
Opcode Fuzzy Hash: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction Fuzzy Hash: DA21B27560031D9BDB208F68CC04AAA77E4BF85734F214A19FEA1F72E1DBB09860CB50

Function 00F140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F14112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F1411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F1412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F14139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F14145

Strings

Msctls_Progress32, xrefs: 00F140E3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction ID: 6637098fba6ee65e824ae0bdb7326f8bf6df053fb59013e186354b597c1c34af
Opcode Fuzzy Hash: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction Fuzzy Hash: AC1193B214021D7EEF219E64CC85EE77F5DEF097A8F014110BA18A6050C6729C61ABA4

Function 00EBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EBD7A3: _free.LIBCMT ref: 00EBD7CC

_free.LIBCMT ref: 00EBD82D

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD838
_free.LIBCMT ref: 00EBD843
_free.LIBCMT ref: 00EBD897
_free.LIBCMT ref: 00EBD8A2
_free.LIBCMT ref: 00EBD8AD
_free.LIBCMT ref: 00EBD8B8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7a32fcbbb999df6f05a650a52608f8f570bb0caa892b5f1dfbe1eb129e725550
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 46112B71944B14BBDA21BFB0CC47FCB7BDCAF44700F406C2AB29DB6492EA65B50587A0

Function 00EEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EEDA74
LoadStringW.USER32(00000000), ref: 00EEDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EEDA91
LoadStringW.USER32(00000000), ref: 00EEDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EEDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EEDAB9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction ID: ce9f87ad3ac99b363389dcace2f6a19b1cd4142cfd5d002f203b60c2dafd855f
Opcode Fuzzy Hash: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction Fuzzy Hash: E30186F654020C7FE710DBA09D89EE7376CE708701F4154A1BB0AF2041E6749E845FB5

Function 00EF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010FE288,010FE288), ref: 00EF097B
EnterCriticalSection.KERNEL32(010FE268,00000000), ref: 00EF098D
TerminateThread.KERNEL32(?,000001F6), ref: 00EF099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EF09A9
CloseHandle.KERNEL32(?), ref: 00EF09B8
InterlockedExchange.KERNEL32(010FE288,000001F6), ref: 00EF09C8
LeaveCriticalSection.KERNEL32(010FE268), ref: 00EF09CF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction ID: 38fc1676f270a8e82173cc2e000771877b98ca9708a5543dcf3c70a5b6b34dd4
Opcode Fuzzy Hash: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction Fuzzy Hash: 8EF03C32482A16BBD7525FA4EE8CBE6BB39FF41702F416025F242A08A1D7B49465DFD0

Function 00F01C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F01DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F01DE1
WSAGetLastError.WSOCK32 ref: 00F01DF2
htons.WSOCK32(?,?,?,?,?), ref: 00F01EDB
inet_ntoa.WSOCK32(?), ref: 00F01E8C

Part of subcall function 00EE39E8: _strlen.LIBCMT ref: 00EE39F2

Part of subcall function 00F03224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EFEC0C), ref: 00F03240

_strlen.LIBCMT ref: 00F01F35

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: edfdbaaa2034596d54daa9b7518d54ec86f2c8522cb8df673b91fda65772b0d1
Instruction ID: 68c11ff0cbd7d96b08d631879c8729b1747590fe07c15f7bca7a80b4a49fa713
Opcode Fuzzy Hash: edfdbaaa2034596d54daa9b7518d54ec86f2c8522cb8df673b91fda65772b0d1
Instruction Fuzzy Hash: AAB1F131604301AFD724EF24C885E2A7BE5BF85328F54954CF45A6B2E2CB31ED42EB91

Function 00E85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E85D30
GetWindowRect.USER32(?,?), ref: 00E85D71
ScreenToClient.USER32(?,?), ref: 00E85D99
GetClientRect.USER32(?,?), ref: 00E85ED7
GetWindowRect.USER32(?,?), ref: 00E85EF8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction ID: c879f15a3392af9218a9c1a5c8fb1b3b43980ba47fd5def805273ab014f63fb2
Opcode Fuzzy Hash: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction Fuzzy Hash: 6BB18E76A0074ADBDB14DFA8C540BEEB7F1FF54314F14A41AE8A9E7290DB30AA41DB50

Function 00EB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EB00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB00D6
__allrem.LIBCMT ref: 00EB00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB010B
__allrem.LIBCMT ref: 00EB0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB0140

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 50967f15ad26d6c6736a095a0dd7975d18b6a7c1aaacc319e06550d5e07abb57
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1C81D775A017069FE724AF68CC41BAB73E9AF46364F24653EF551FB281E7B0E9008790

Function 00EB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EA82D9,00EA82D9,?,?,?,00EB644F,00000001,00000001,?), ref: 00EB6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EB644F,00000001,00000001,?,?,?,?), ref: 00EB62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EB63D8
__freea.LIBCMT ref: 00EB63E5

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

__freea.LIBCMT ref: 00EB63EE
__freea.LIBCMT ref: 00EB6413

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction ID: 9fdf1fd69afbe881fad37e6fd0f52c678d0366f5da249c108384007db3b6c097
Opcode Fuzzy Hash: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction Fuzzy Hash: ED51E072A00216ABEB258F64DC81EEF7BE9EB94714F155629FC05F6150EB38DC40C6A0

Function 00F0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F0BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F0BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0BDF3
RegCloseKey.ADVAPI32(?), ref: 00F0BDFF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b4473d37987a9274905c76d65f680a5d39c6506977a59544133219679e8f2714
Instruction ID: 7e567f73392c0c4f567bcc427bfd3c79b7d5e1ae557e8473835237d3180b34d6
Opcode Fuzzy Hash: b4473d37987a9274905c76d65f680a5d39c6506977a59544133219679e8f2714
Instruction Fuzzy Hash: 3B81D231608241EFD714EF24C885E2ABBE5FF84318F14895CF4599B2A2DB31ED45EB92

Function 00EDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00EDF7B9
SysAllocString.OLEAUT32(00000001), ref: 00EDF860
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF889
VariantClear.OLEAUT32(00EDFA64), ref: 00EDF8AD
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF8B1
VariantClear.OLEAUT32(?), ref: 00EDF8BB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2124392a8b47c38aea764cd30e7d996257ac63e016119b1e5d943205317425f1
Instruction ID: c080b1b46962b37a5b87336866fc7f136a04d14779650f36b65d2f2437589e62
Opcode Fuzzy Hash: 2124392a8b47c38aea764cd30e7d996257ac63e016119b1e5d943205317425f1
Instruction Fuzzy Hash: 9151E435940310BACF14EBA5D8A5B69B3E8EF85310B24A467E807FF392DB708C41D796

Function 00EF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EF94E5
_wcslen.LIBCMT ref: 00EF9506
_wcslen.LIBCMT ref: 00EF952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EF9585

Strings

X, xrefs: 00EF9412

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 049ac8f5d4eb7deef9a92ccfa90bed1d0ff644fc2210b9787517c35427fd8bcb
Instruction ID: b73ed2f485fbe950c8914949fc482ffc1f64241f89fa332b2ec875f4626786a3
Opcode Fuzzy Hash: 049ac8f5d4eb7deef9a92ccfa90bed1d0ff644fc2210b9787517c35427fd8bcb
Instruction Fuzzy Hash: 80E1B1716083018FD714EF24C881B6AB7E4BF85314F14996DF99DAB2A2DB31ED05CB92

Function 00E9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

BeginPaint.USER32(?,?,?), ref: 00E99241
GetWindowRect.USER32(?,?), ref: 00E992A5
ScreenToClient.USER32(?,?), ref: 00E992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E992D3
EndPaint.USER32(?,?,?,?,?), ref: 00E99321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00ED71EA

Part of subcall function 00E99339: BeginPath.GDI32(00000000), ref: 00E99357

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction ID: 8ec13cfd721991a1eb9745f8267360aa3fa3e720ecd77426543385ecd4b06a0f
Opcode Fuzzy Hash: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction Fuzzy Hash: 8D41B370105304AFDB11DF28DC84FAA7BE8FB46725F04022DFA95A72E2D731A845EB61

Function 00EF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EF080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EF0847
EnterCriticalSection.KERNEL32(?), ref: 00EF0863
LeaveCriticalSection.KERNEL32(?), ref: 00EF08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EF08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EF0921

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f8572d27ab86ff202ab9c5aebe3114d69639f6db3b3031e839843e756594635a
Instruction ID: ad7dba8a1b4752da86c37d766ddeaadc9ae7f3e47296a32ff74964eaf80dcdad
Opcode Fuzzy Hash: f8572d27ab86ff202ab9c5aebe3114d69639f6db3b3031e839843e756594635a
Instruction Fuzzy Hash: FE417C71A00209EBDF14AF54DC85AAA77B8FF45310F1480A9ED00EE297DB30DE65DBA0

Function 00F181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EDF3AB,00000000,?,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00F1824C
EnableWindow.USER32(?,00000000), ref: 00F18272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F182D1
ShowWindow.USER32(?,00000004), ref: 00F182E5
EnableWindow.USER32(?,00000001), ref: 00F1830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F1832F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction ID: 4627757fea16b24074b0331d6eb28b390de1701c9b96fada016853140744ccc8
Opcode Fuzzy Hash: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction Fuzzy Hash: C041C834A01644AFDB12CF15CD95BE47BE0FB06765F184169E6184F2B2CB71AC82EF50

Function 00EE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EE4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EE4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EE4CEA
_wcslen.LIBCMT ref: 00EE4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EE4D10
_wcsstr.LIBVCRUNTIME ref: 00EE4D1A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 536467bad24effbb5a7c22ec0d7f14ae2e3a52eada8fcefbbe8a51047448512a
Instruction ID: 24673a70853e46d25d8132b28bb5cc8d3acb43658b9461f36d08b281c5622868
Opcode Fuzzy Hash: 536467bad24effbb5a7c22ec0d7f14ae2e3a52eada8fcefbbe8a51047448512a
Instruction Fuzzy Hash: 362129B12042487BEB155B3ADC09E7B7BDCDF49750F119029F809EA1D1DA61DC0096A1

Function 00EF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

_wcslen.LIBCMT ref: 00EF587B
CoInitialize.OLE32(00000000), ref: 00EF5995
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF59AE
CoUninitialize.OLE32 ref: 00EF59CC

Strings

.lnk, xrefs: 00EF5876, 00EF58C1, 00EF5985

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction ID: fb106ccaae3eb3638e756f948009bd7b5923d6fbd8f2d3bf4c8df1317f7e074b
Opcode Fuzzy Hash: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction Fuzzy Hash: 9DD185726087059FC708EF24C48092ABBE1FF99714F14985DFA99AB361C731ED45CB92

Function 00EE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
Part of subcall function 00EE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
Part of subcall function 00EE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
Part of subcall function 00EE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

GetLengthSid.ADVAPI32(?,00000000,00EE1335), ref: 00EE17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EE17BA
HeapAlloc.KERNEL32(00000000), ref: 00EE17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EE17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EE1335), ref: 00EE17EE
HeapFree.KERNEL32(00000000), ref: 00EE17F5

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction ID: 47387bb91f0461e9053fce4c0abc839439ab6ea77931b08e285d242f44eea03e
Opcode Fuzzy Hash: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction Fuzzy Hash: D011EE31684208FFDB108FA6CC48BEE7BB8EB46719F108059F481B7211C731A980DBA0

Function 00EE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EE14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EE1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EE1515
CloseHandle.KERNEL32(00000004), ref: 00EE1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EE154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EE1563

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction ID: 78c76998d2b875b93ef382d010957e0a18e1c3096200226e1a8fc107be5a8309
Opcode Fuzzy Hash: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction Fuzzy Hash: 9611597250024DABDF118F98DD49BDE7BA9EF48748F058054FA15A21A0C3718EA4EBA0

Function 00EA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA3379,00EA2FE5), ref: 00EA3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA33B7
SetLastError.KERNEL32(00000000,?,00EA3379,00EA2FE5), ref: 00EA3409

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9a65f4cd9c5236947afee825a388cb535bca0b316d75ab3a9ddf7d840c6ac8cf
Instruction ID: 923437a0e9d8bd8ec36708c21a284f14e19a1935b586443ba7a42e81c8014b0a
Opcode Fuzzy Hash: 9a65f4cd9c5236947afee825a388cb535bca0b316d75ab3a9ddf7d840c6ac8cf
Instruction Fuzzy Hash: 3D01243660E315BEAA6427787C855A73ED4EB6F3797203229F830EC1F0EF156E096184

Function 00EB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EB5686,00EC3CD6,?,00000000,?,00EB5B6A,?,?,?,?,?,00EAE6D1,?,00F48A48), ref: 00EB2D78
_free.LIBCMT ref: 00EB2DAB
_free.LIBCMT ref: 00EB2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DEC
_abort.LIBCMT ref: 00EB2DF2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8bea108974523e3e81c76533beaa49a57f94dfdd0c1b5a7ac43015d3748c7624
Instruction ID: c8533c8e697b9229720e3f33a4bde25289a192f4200a6505e7bf69d6860af726
Opcode Fuzzy Hash: 8bea108974523e3e81c76533beaa49a57f94dfdd0c1b5a7ac43015d3748c7624
Instruction Fuzzy Hash: 0EF0FC3554560037C6123739BC0AEDF3599AFC67A5F25651CFF38F21E6EF24880161A1

Function 00F18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F18A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F18A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F18A70
LineTo.GDI32(?,00000000,00000003), ref: 00F18A80
EndPath.GDI32(?), ref: 00F18A90
StrokePath.GDI32(?), ref: 00F18AA0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction ID: 600ec098f6955ba4e1dc6c336672199af179e6af4b112aad06073b0a4279f996
Opcode Fuzzy Hash: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction Fuzzy Hash: 2211F77644010CFFDB129F94DC88EEA7FACEF08390F01C012BA199A1A1C771AD55EBA0

Function 00EE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EE5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE5230
ReleaseDC.USER32(00000000,00000000), ref: 00EE5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EE524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EE5261

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction ID: 8b8780207aaf863f34fc4ee360cf32123c6dd98b6ab07699ac36dd2272df9349
Opcode Fuzzy Hash: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction Fuzzy Hash: 9D014875A40718BBEB105BA69C45A5E7F78EB48751F044065FA09A7291D6709900DB90

Function 00E81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction ID: 1e6ba7abab5e3c87e841b3f34cc0bb31c7612f4dfbd31d1daafcdcc4f78c88c1
Opcode Fuzzy Hash: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction Fuzzy Hash: 0D0167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00EEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EEEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EEEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EEEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB75

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction ID: f3b509680d1b01257f125b0298fcf710f0093acdacc4b60c7ab2520f5e62a043
Opcode Fuzzy Hash: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction Fuzzy Hash: 97F0307258015CBBE72157529C0DEEF3A7CEFCAB11F018158F611E1191D7A05A01E6F5

Function 00ED7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00ED7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00ED7469
GetWindowDC.USER32(?), ref: 00ED7475
GetPixel.GDI32(00000000,?,?), ref: 00ED7484
ReleaseDC.USER32(?,00000000), ref: 00ED7496
GetSysColor.USER32(00000005), ref: 00ED74B0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction ID: 35af826e6bb588a1132f5c21c673b3d9b8c3a59e666922af9d9b034f755bab3a
Opcode Fuzzy Hash: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction Fuzzy Hash: 1A018B31440219EFDB515F64DC08BEA7BB6FB04311F568064F929A21A1CB311E42EB90

Function 00EE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EE187F
UnloadUserProfile.USERENV(?,?), ref: 00EE188B
CloseHandle.KERNEL32(?), ref: 00EE1894
CloseHandle.KERNEL32(?), ref: 00EE189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE18A5
HeapFree.KERNEL32(00000000), ref: 00EE18AC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction ID: 4ee0289d42603902a28a0e662f0f99c081448674beb7fe88841e4dcdb7e97fd4
Opcode Fuzzy Hash: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction Fuzzy Hash: 99E0ED36484219BBEB015FA2ED0C985BF39FF49721B11C220F22591071CB725420EF90

Function 00F07B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00EA0242: EnterCriticalSection.KERNEL32(00F5070C,00F51884,?,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA024D
Part of subcall function 00EA0242: LeaveCriticalSection.KERNEL32(00F5070C,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA028A

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

__Init_thread_footer.LIBCMT ref: 00F07BFB

Part of subcall function 00EA01F8: EnterCriticalSection.KERNEL32(00F5070C,?,?,00E98747,00F52514), ref: 00EA0202
Part of subcall function 00EA01F8: LeaveCriticalSection.KERNEL32(00F5070C,?,00E98747,00F52514), ref: 00EA0235

Strings

5, xrefs: 00F07C78
Variable must be of type 'Object'., xrefs: 00F07C3A
G, xrefs: 00F07C7F
+T, xrefs: 00F07E2E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 172cac1911b785d6a25735877ab924ffae4aaf969edb9cfa0a7c13ec5c922493
Instruction ID: 034009552a71217a611b66c53dfed843769c96c0fe3c59e655392b9e692144a4
Opcode Fuzzy Hash: 172cac1911b785d6a25735877ab924ffae4aaf969edb9cfa0a7c13ec5c922493
Instruction Fuzzy Hash: 0A919A70E05309EFCB14EF54D8909BEB7B1BF49314F148099F80AAB292DB71AE41EB51

Function 00EEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC6EE
_wcslen.LIBCMT ref: 00EEC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EEC7CA

Strings

0, xrefs: 00EEC6AF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c9303a62f83514cafb5f770820fe7e097af84bef429b087f0df066011714c275
Instruction ID: 63f7a8790b2a0a2dedb3ab95816a47ec15a7826559ea5d32cc18f06bd8f8a8df
Opcode Fuzzy Hash: c9303a62f83514cafb5f770820fe7e097af84bef429b087f0df066011714c275
Instruction Fuzzy Hash: 7E5124716043899BD7149F3AC844BAB77E4AF89318F242A2EF995F3190DB70DC06DB52

Function 00F0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F0AEA3

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetProcessId.KERNEL32(00000000), ref: 00F0AF38
CloseHandle.KERNEL32(00000000), ref: 00F0AF67

Strings

@, xrefs: 00F0AE72
<, xrefs: 00F0AE6B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bcb926acfdd27ff212297516ad6c46676b74887361fc2ce8dce2b71789242d89
Instruction ID: 8af8e321ac33e0517447991d999376d4e8ad9d468774e573f4ed04e0392a6c81
Opcode Fuzzy Hash: bcb926acfdd27ff212297516ad6c46676b74887361fc2ce8dce2b71789242d89
Instruction Fuzzy Hash: EE718C71A00619DFCB14EF54C484A9EBBF1FF08314F148499E85AAB392C774ED45DB91

Function 00EE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EE7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EE723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EE724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EE72CF

Strings

DllGetClassObject, xrefs: 00EE7242

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction ID: 831a2496d5cb72df5220f319185b0d0092803942dd7ff616dcf58ae6def8cbdf
Opcode Fuzzy Hash: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction Fuzzy Hash: 0241DFB1A04209EFDB15CF55C884A9A7BB9EF48314F1090A9BE45AF21AD7B0DD40DBA0

Function 00F13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13E35
IsMenu.USER32(?), ref: 00F13E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13E92
DrawMenuBar.USER32 ref: 00F13EA5

Strings

0, xrefs: 00F13D89

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction ID: 1a355d4171bce9c8e14b1ea5f7cd890946961b8b78b93bcd6e8c2d6e32a8e3d2
Opcode Fuzzy Hash: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction Fuzzy Hash: A3413A75A01309EFDB10DF54D884AEABBB9FF49364F044129E915A7290D730AE89EF90

Function 00EE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EE1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EE1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EE1EA9

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Strings

ComboBox, xrefs: 00EE1DF0
ListBox, xrefs: 00EE1E25

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 52f2f3cefbdcdd9b6b005ebe81e6a2a0984e36644cb1fd0a47fd96357820d7ac
Instruction ID: 9ee2f3c8e44727e31558c8ab0df9eefb7eb13f0918d1b5fc19083004d2f359ca
Opcode Fuzzy Hash: 52f2f3cefbdcdd9b6b005ebe81e6a2a0984e36644cb1fd0a47fd96357820d7ac
Instruction Fuzzy Hash: 23212371A00148AFDB18ABB1CC49CFFB7B8DF41364B146119F829B31E1DB3949499760

Function 00F12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F12F8D
LoadLibraryW.KERNEL32(?), ref: 00F12F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F12FA9
DestroyWindow.USER32(?), ref: 00F12FB1

Strings

SysAnimate32, xrefs: 00F12F68

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction ID: b5d90947942effeabf09bbb6e382e48c13dcad7a5eff4be2b90007a770e2725a
Opcode Fuzzy Hash: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction Fuzzy Hash: 83219D71600209ABEB604FA4EC84EFB37B9EB59374F104218F954D6190D771DCA2A760

Function 00EA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002), ref: 00EA4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000), ref: 00EA4DC3

Strings

mscoree.dll, xrefs: 00EA4D86
CorExitProcess, xrefs: 00EA4D98

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction ID: 9cdfe011f4d1aa24f56fbb0ede029d5ed54e0f7d834f0c96d2ba6750943daafa
Opcode Fuzzy Hash: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction Fuzzy Hash: 43F0AF35A8021CBBDB109F94DC49BEDBFB4EF48716F0140A4F805B62A0CF70A940EAD1

Function 00E84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

Strings

kernel32.dll, xrefs: 00E84E94
Wow64DisableWow64FsRedirection, xrefs: 00E84EA8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction ID: efe9d7358faeb83c732d6adadc7b0c458d4e5a86a9d4c495aa677ab673594d0b
Opcode Fuzzy Hash: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction Fuzzy Hash: 54E0CD35A815236BD2312B256C18F9F7654EFC1F667064115FC0CF7140DB60CD0161E1

Function 00E84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Strings

kernel32.dll, xrefs: 00E84E5B
Wow64RevertWow64FsRedirection, xrefs: 00E84E6E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction ID: dd9804ecedeb1488a72a069fe29d2466dd3dac5535daafa36b132f224bf33a76
Opcode Fuzzy Hash: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction Fuzzy Hash: 61D012355826236757222B256C18DCB7A18EF85B593064515BD0DF6154CF60CD01A6D1

Function 00EF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2C05
DeleteFileW.KERNEL32(?), ref: 00EF2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CC0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 87ac5d6c7ca5ed2d40bedab9fe3c45bbf3a7f39a134769cb5969bb92addb15b7
Instruction ID: 9e193032a7f88af0b703ba1ff65a8e2b51d1338ec1d70f6879d44e5e29155316
Opcode Fuzzy Hash: 87ac5d6c7ca5ed2d40bedab9fe3c45bbf3a7f39a134769cb5969bb92addb15b7
Instruction Fuzzy Hash: 3FB13D7290011DABDF11EBA4CC85EEEBBBDEF49350F1050AAF609F6151EB319A448B61

Function 00F0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F0A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F0A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F0A468
CloseHandle.KERNEL32(?), ref: 00F0A63D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ec30100489973053286cf458323ba9296277a5034867a881da4e9367e86d4634
Instruction ID: df3013ff38fddf7f1afcbcb17908627114dfa40056f238de71e18bea07985dd6
Opcode Fuzzy Hash: ec30100489973053286cf458323ba9296277a5034867a881da4e9367e86d4634
Instruction Fuzzy Hash: 68A1B3716043009FE720DF24D886F2AB7E5AF84714F14985CF56A9B2D2D771EC41DB92

Function 00EBBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F23700), ref: 00EBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F51270,000000FF,?,0000003F,00000000,?), ref: 00EBBC36
_free.LIBCMT ref: 00EBBB7F

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBBD4B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 92e474b2423d917aa182ebb34da78fda1c7608534703e00e4020d428e2dee313
Instruction ID: b9f3a916cd54e7be5d6d856a74a12000c594c159810b1303e0ae5c91564f972e
Opcode Fuzzy Hash: 92e474b2423d917aa182ebb34da78fda1c7608534703e00e4020d428e2dee313
Instruction Fuzzy Hash: 8F51C371900209AFDB10EF659C81AEFBBF8BF41314F10526AE554F71A1EBB09E419B90

Function 00EEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EEE473
MoveFileW.KERNEL32(?,?), ref: 00EEE4AC
_wcslen.LIBCMT ref: 00EEE5EB
_wcslen.LIBCMT ref: 00EEE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EEE650

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction ID: 9cda126c0ea8f05d36d7bbfdf768423ac1d997f4b4104784d892463a3353fe9a
Opcode Fuzzy Hash: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction Fuzzy Hash: 3A5175B24083895BC724EB90DC819DFB3ECAF85344F00591EF599E3291EF75A5888766

Function 00F0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F0BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F0BBB3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction ID: 463c21bbbf535aa35fa9ed6d98bf28078e292cddab302b610317aa72d15df074
Opcode Fuzzy Hash: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction Fuzzy Hash: 5C61E271608201EFD314EF14C890E2ABBE5FF84318F14855CF4998B2A2DB35ED45EB92

Function 00EE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8BCD
VariantClear.OLEAUT32 ref: 00EE8C3E
VariantClear.OLEAUT32 ref: 00EE8C9D
VariantClear.OLEAUT32(?), ref: 00EE8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EE8D3B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction ID: 9ca722943a4166f2ae6bc8fedc0cf23cb47430d612fb755884fae47307a5886a
Opcode Fuzzy Hash: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction Fuzzy Hash: 6B5197B5A00219EFCB10CF29C884AAAB7F9FF89314B118559E909EB354E730E911CF90

Function 00EF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EF8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EF8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EF8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EF8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EF8C5F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 50f7c2ae5b9a46fca9af376ae7cb48dce4055a08ac5a979b0dd1f434512dd280
Instruction ID: 084239e5d3c688924b1ebd861f38992397db59c6b1a4eb9940632f8127a1c6dc
Opcode Fuzzy Hash: 50f7c2ae5b9a46fca9af376ae7cb48dce4055a08ac5a979b0dd1f434512dd280
Instruction Fuzzy Hash: 0C515A35A002199FCB04EF64C880AADBBF5FF49314F189458E94DAB362CB31ED41CBA1

Function 00F08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F08F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F08FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F08FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F09032
FreeLibrary.KERNEL32(00000000), ref: 00F09052

Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EF1043,?,75C0E610), ref: 00E9F6E6
Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EDFA64,00000000,00000000,?,?,00EF1043,?,75C0E610,?,00EDFA64), ref: 00E9F70D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction ID: b7f48e721fa331a2c2ddb0c451969f5e5df911610875152659f56f8c339564df
Opcode Fuzzy Hash: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction Fuzzy Hash: C9515F35A04205DFC715EF64C4848ADBBF1FF49324B058099E849AB3A2DB31ED86EB90

Function 00F16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F16C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F16C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F16C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EFAB79,00000000,00000000), ref: 00F16C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F16CC7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction ID: 9f096118a8421a3b3eb30ef96e542169c86ef72509371d25122c3d21e0033432
Opcode Fuzzy Hash: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction Fuzzy Hash: 0141D435A04104AFD724CF28CC58FE97BA5EB09361F154268F999E73E0C371AD81EAC0

Function 00EB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB20C3
_free.LIBCMT ref: 00EB20E3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2159d089d822e0945c305497e196337f9aee3a6fe0f76249dd8bafc58dd7428d
Instruction ID: 7c4a852abbb0134f964d55b63c97aaa6e9ca47e3b82afb7c62f99d44f3df88c2
Opcode Fuzzy Hash: 2159d089d822e0945c305497e196337f9aee3a6fe0f76249dd8bafc58dd7428d
Instruction Fuzzy Hash: F241E272A00204AFCB24DF78C880A9EB7E5EF89714F1555ACEA15FB391DB31AD01DB80

Function 00E9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E99141
ScreenToClient.USER32(00000000,?), ref: 00E9915E
GetAsyncKeyState.USER32(00000001), ref: 00E99183
GetAsyncKeyState.USER32(00000002), ref: 00E9919D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction ID: 00f7ba8c5d7dda81092c848cb6c8d76afd14e59f85e1c45fe9a1b87ac184b48b
Opcode Fuzzy Hash: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction Fuzzy Hash: 9D419F31A0821AFBDF099F68C844BEEB774FB05324F21931AE469B32D1D7346990DB91

Function 00EF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EF38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EF3922
TranslateMessage.USER32(?), ref: 00EF394B
DispatchMessageW.USER32(?), ref: 00EF3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction ID: fc121fec41e9483548b9098fa5e903587147e86e8563ed1e1bd006855c93abaa
Opcode Fuzzy Hash: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction Fuzzy Hash: B631097050438E9EEB35CB34D808BB637E8AB41349F04156DE762E21E4E3F4AA85DB11

Function 00EFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EFCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFF2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 467a446b2dd60ae956f9db3542e6db94254b0b635461fc22211ac2436af3df24
Instruction ID: e13ae8644e4f9f499dbe2b43a3efdbc703c67ad76bfd44745dfaad6464670ed5
Opcode Fuzzy Hash: 467a446b2dd60ae956f9db3542e6db94254b0b635461fc22211ac2436af3df24
Instruction Fuzzy Hash: F431417260420DAFDB20DFA5C984ABBBBF9EB14354B30942EF616E2150D730AD40DBA0

Function 00EE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EE1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EE19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EE19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EE19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EE19E2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction ID: 9c43fde59a2d1a65aaa38837d0a48be400fb88dde8fe3f08a5ce5783675b09e3
Opcode Fuzzy Hash: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction Fuzzy Hash: 2431D47190025DEFCB00CFA9CD99ADE3BB5EB44315F109265F925A72D2C7709D84DB90

Function 00F15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F15745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F1579D
_wcslen.LIBCMT ref: 00F157AF
_wcslen.LIBCMT ref: 00F157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction ID: 5cb43cf0bbcb6e828851a836cffa00459fba9c923b5b748c77ee169b94a5ea4d
Opcode Fuzzy Hash: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction Fuzzy Hash: EF218F71D04618DADB209FA0CC85AEEB7B8FF84B35F108216E929AA1C0D77099C5DF50

Function 00F00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F00951
GetForegroundWindow.USER32 ref: 00F00968
GetDC.USER32(00000000), ref: 00F009A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F009B0
ReleaseDC.USER32(00000000,00000003), ref: 00F009E8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction ID: f4a00f352d517134909fc253ed72e82f5a0927ff484a3cdc6f0d386e59e5b6d7
Opcode Fuzzy Hash: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction Fuzzy Hash: 7A218175600208AFD704EF65D884AAEBBE9EF45700F058069F94AA7362CB70AC04DB90

Function 00EBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EBCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EBCDE9

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EBCE0F
_free.LIBCMT ref: 00EBCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EBCE31

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: df47e33b5797338174eb2bf1f73e31f0a6faf3ed487929994314c22251abf1ed
Instruction ID: ef6518c3d0982f4c5c83d73f18076ec079eb16f854396b8acf1995ae3f05f6ca
Opcode Fuzzy Hash: df47e33b5797338174eb2bf1f73e31f0a6faf3ed487929994314c22251abf1ed
Instruction Fuzzy Hash: FC01F772605215BF23211AB66C8CCFB7A6DDEC6BA53255129FD05FB200EA60CD0191F1

Function 00E99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
SelectObject.GDI32(?,00000000), ref: 00E996A2
BeginPath.GDI32(?), ref: 00E996B9
SelectObject.GDI32(?,00000000), ref: 00E996E2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction ID: f057d1776caa9f2667bf977e3fa3cb19ad994d6e6e00111764095a0ef046a451
Opcode Fuzzy Hash: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction Fuzzy Hash: 4A215070802309EBDF119F68EC187ED3BA9BB5135AF10421AF611B61B2D3706895EB94

Function 00EE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5726
_memcmp.LIBVCRUNTIME ref: 00EE5744
_memcmp.LIBVCRUNTIME ref: 00EE5757
_memcmp.LIBVCRUNTIME ref: 00EE576F
_memcmp.LIBVCRUNTIME ref: 00EE5787

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction ID: 1c77cfc27181406fd841567090c8039f86008b8d3f0d62947751726034e7140c
Opcode Fuzzy Hash: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction Fuzzy Hash: 0601D2A364160DFAD60896129D92EFB739C9B6539CF001022FD04BE241F660FD7892E1

Function 00EB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6), ref: 00EB2DFD
_free.LIBCMT ref: 00EB2E32
_free.LIBCMT ref: 00EB2E59
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E66
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E6F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1224d431824adf6bfcdcd81562cbc906249bf38ec84ac564f4852a9e1afdc98a
Instruction ID: 5eb13f38501a17367b748f328ebd335f704c64418b6ddf2a34d0f1986b03bf5c
Opcode Fuzzy Hash: 1224d431824adf6bfcdcd81562cbc906249bf38ec84ac564f4852a9e1afdc98a
Instruction Fuzzy Hash: 3801283624560477C61327766C46DEB36ADAFD57B9B21B42CFB25B21E2EF34CC016060

Function 00EE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0070

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction ID: c317af615e2a2fbb41ea3f78cd61747be8efa5eca071a475745bd1d7e7c2d873
Opcode Fuzzy Hash: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction Fuzzy Hash: 3D01A27264020CBFDB119F6AEC44BEA7AEDEF44761F159524F905E2210D7B1DD80ABA0

Function 00EEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EEE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EEE9A5
Sleep.KERNEL32(00000000), ref: 00EEE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EEE9B7
Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction ID: e7888592bf893b2f6740be7c4c9c68cfcee54e37c1d614462949895aafa017f9
Opcode Fuzzy Hash: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction Fuzzy Hash: 3A016931C4162DEBCF04AFE6DC59AEDBBB8FF48300F015586E502B2242CB319550DBA1

Function 00EE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction ID: f3fe1825dc8f82e73eab37e59a91f847fa0bf82931e6f9b5e25555c88432c76c
Opcode Fuzzy Hash: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction Fuzzy Hash: 8901D179140308BFDB010F65DC08EAA3F6EEF85364B124014FA00D3350DB31CC409AA0

Function 00EE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction ID: fa3112e529b00070ea201cf922ddda8be6bcfc78a54b96fecf6808bcb317c57f
Opcode Fuzzy Hash: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction Fuzzy Hash: 38F0C239180309FBD7210FA5DC4DF963B6EEF89761F128414F945D7291CA30DC809AA0

Function 00EE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction ID: 0b4228d72b911552c5d80383e33ef571725cffc063a8d25edafd838971f7967b
Opcode Fuzzy Hash: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction Fuzzy Hash: 89F0C239180309FBD7211FA5EC48F963B6EEF89761F124414F945D7250CA30D8809AA0

Function 00EF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0324
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0331
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF033E
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF034B
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0358
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0365

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction ID: 3376b8dbd0bcd4176b225ed6a871eb16d786a7dfd4d82cd503570a0d4d5dd0b8
Opcode Fuzzy Hash: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction Fuzzy Hash: 7F01A272801B199FC7309F66D880822F7F5BF503193159A3FD29662932C371A954DF80

Function 00EBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBD752

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD764
_free.LIBCMT ref: 00EBD776
_free.LIBCMT ref: 00EBD788
_free.LIBCMT ref: 00EBD79A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f371c16240a4cc63eba11fe92474ed5c01774740d64cbb9a014f62cfe0189d4d
Instruction ID: f28d9b7be1d4e68d922f8357fdc61bd5563f03dacf553ee89d149b37444489b3
Opcode Fuzzy Hash: f371c16240a4cc63eba11fe92474ed5c01774740d64cbb9a014f62cfe0189d4d
Instruction Fuzzy Hash: 40F04F32509218BB8661EB64FDC5CD77BDDBF453147942C0AF548F7501DB20FC8086A4

Function 00EE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EE5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EE5C6F
MessageBeep.USER32(00000000), ref: 00EE5C87
KillTimer.USER32(?,0000040A), ref: 00EE5CA3
EndDialog.USER32(?,00000001), ref: 00EE5CBD

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction ID: 6e0a30ae0333356255b8a5fd3aca4bd0a839869a9b9ccf57cd334edae9c398f1
Opcode Fuzzy Hash: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction Fuzzy Hash: B101D131540B08ABEB205B11DD5EFE6B7B8BF04B09F052159A287B10E1DBF0A984DF90

Function 00EB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB22BE

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB22D0
_free.LIBCMT ref: 00EB22E3
_free.LIBCMT ref: 00EB22F4
_free.LIBCMT ref: 00EB2305

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e567145a2a60dd5f8f905fe3ad01b4b9cfb05f331f4fe6949df55b5b48566356
Instruction ID: f9cc511cc351bb7d6798bac614a8a09ae2ca29a3583ee5a8154e16fbf6f41688
Opcode Fuzzy Hash: e567145a2a60dd5f8f905fe3ad01b4b9cfb05f331f4fe6949df55b5b48566356
Instruction Fuzzy Hash: 41F054744013189B8652AF54BC0199A3BE4FB59752B012A0EFB18E2271CB301411BFE5

Function 00E995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E995D4
StrokeAndFillPath.GDI32(?,?,00ED71F7,00000000,?,?,?), ref: 00E995F0
SelectObject.GDI32(?,00000000), ref: 00E99603
DeleteObject.GDI32 ref: 00E99616
StrokePath.GDI32(?), ref: 00E99631

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction ID: 2a076157f774ca9a6356edebb7380731270c734b5425133c4110b20202158dcb
Opcode Fuzzy Hash: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction Fuzzy Hash: 16F0373004630CEBDB225F69ED1CBA93B61BB15327F058258F665A50F2C7309995EFA4

Function 00EB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EB10F9
__freea.LIBCMT ref: 00EB1117

Part of subcall function 00EB1537: _free.LIBCMT ref: 00EB154F

Strings

a/p, xrefs: 00EB11DE
am/pm, xrefs: 00EB117A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction ID: c1d2c26e88aa94980ffe67dfac6bd7d50a295345ee777a766fb4e460deb72057
Opcode Fuzzy Hash: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction Fuzzy Hash: 2BD11831900206CADB249F68C865BFFB7F1FF05724F992199E601BB650E3759D80CB91

Function 00EB5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00EB5BA8, 00EB5C6C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction ID: 7ad9559d7db4585837eec8fa9204c3c6a3369178b62ba129d91d7dc4b937a653
Opcode Fuzzy Hash: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction Fuzzy Hash: 8A5191729006099BCB11AFA4C885FEFBFF9AF49314F14215AF405BB291D73199019BA1

Function 00EB8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EB8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EB8B7A
__dosmaperr.LIBCMT ref: 00EB8B81

Strings

., xrefs: 00EB8A63

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction ID: df7c54745d8ebaca2dfe85e899c3d72eb90f90c0a4d8638daaea3d1671e68e3d
Opcode Fuzzy Hash: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction Fuzzy Hash: 06414B74604145AFD7249F64D9D0AFB7FE9DB85304B28A19AE885A7352DE318C02D790

Function 00EE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21D0,?,?,00000034,00000800,?,00000034), ref: 00EEB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EE2760

Part of subcall function 00EEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EEB3F8

Part of subcall function 00EEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EEB355
Part of subcall function 00EEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB365
Part of subcall function 00EEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE281A

Strings

@, xrefs: 00EE2832

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction ID: 14c6d6f77e3ef91f3ccaf0e9543a6a5c46c8196e902e6350390198c2327c42c8
Opcode Fuzzy Hash: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction Fuzzy Hash: DA412F7290021CAFDB10DFA5CD46ADEBBB8EF09700F105099FA55B7181DB706E45CBA1

Function 00EB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00EB1769
_free.LIBCMT ref: 00EB1834
_free.LIBCMT ref: 00EB183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00EB1760, 00EB1767, 00EB1796, 00EB17CE

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 3d4a1a2c01b467bbacd80e4b809ffb79bd8e3dec9b5e3244d3453fed18a22fbf
Instruction ID: c34b9d31b4f03b636a5780b2dcf09427660d0a7d24ec7fa907aa102ef9f33f7d
Opcode Fuzzy Hash: 3d4a1a2c01b467bbacd80e4b809ffb79bd8e3dec9b5e3244d3453fed18a22fbf
Instruction Fuzzy Hash: B8319F71A00218ABDB21DB999885EDFBBFCFF85320F5051AAF904E7211DA709A40DB90

Function 00EEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EEC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EEC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F51990,01104BA8), ref: 00EEC395

Strings

0, xrefs: 00EEC2DF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction ID: 76fa497f68d7079874aa8b79d36d67cdf338e29614be13c3c0309db23efa43ed
Opcode Fuzzy Hash: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction Fuzzy Hash: E341E3312043859FD720DF26D844F5ABBE8AF85314F24966DF9A5A72D2C730E805CB62

Function 00F14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F1CC08,00000000,?,?,?,?), ref: 00F144AA
GetWindowLongW.USER32 ref: 00F144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F144D7

Strings

SysTreeView32, xrefs: 00F1447C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction ID: 52f3ba7f47aa1436409d3d681819c39c0456dccc901811cbca41e9ff3b94bfdb
Opcode Fuzzy Hash: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction Fuzzy Hash: CC31AF31610205AFDF209E38DC45BDA7BA9EB48334F254315F979A31D0D771EC90AB50

Function 00EE6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EE6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EE6F08
VariantClear.OLEAUT32(?), ref: 00EE6F12

Strings

*j, xrefs: 00EE6E8B, 00EE6E90, 00EE6EF8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction ID: 91c2de3dacfa72adfec1524abc3805e5221fcd465731a5212a13c821bd54fe4b
Opcode Fuzzy Hash: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction Fuzzy Hash: 6431B171708299DFCB04EFA5E8909FD37B6FFA5344B101498F8066B2A1CB309912DBD0

Function 00F0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F03077,?,?), ref: 00F03378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
_wcslen.LIBCMT ref: 00F0309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F03106

Strings

255.255.255.255, xrefs: 00F03095, 00F0309A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction ID: e4de6c6174fdb2a76a2cb79be05be17ee02697a2405bdd599342bbb4e7791271
Opcode Fuzzy Hash: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction Fuzzy Hash: DA31E735A04205DFCB10CF28C585EAA77E8EF54328F258059E8159B3D2D772EE45F761

Function 00F13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F13F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F13F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F13F78

Strings

SysMonthCal32, xrefs: 00F13F0B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction ID: 536bf78137ab55012fd36e764e381c207b4cd0221cfb5b069e279ec9130ffa35
Opcode Fuzzy Hash: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction Fuzzy Hash: 0921BF32A00219BFDF259F50CC46FEA3B75EB48724F110214FA197B1D0D6B1A895EB90

Function 00F14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F14705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F14713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F1471A

Strings

msctls_updown32, xrefs: 00F14684

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction ID: 068b5aabf4ece2595e26a5e3af8c9ee09667ef1827ce8b4a2fc81939775ee1f6
Opcode Fuzzy Hash: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction Fuzzy Hash: 6B2160B5600208AFEB11DF64DCC1DA737EDEB9A7A4B140059FA049B291CB71FC51EB60

Function 00EE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE961D

Strings

#OnAutoItStartRegister, xrefs: 00EE95F3
#requireadmin, xrefs: 00EE95D9
#notrayicon, xrefs: 00EE95B7

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7d075f5990e29c606ae6ea0eac1a7559531750ad1e403a6cba0a3e8cca803428
Instruction ID: 79d12625038d8fbaae03eded12b79c8a1ae5c59c8e9f961edfa9ea8472df6b14
Opcode Fuzzy Hash: 7d075f5990e29c606ae6ea0eac1a7559531750ad1e403a6cba0a3e8cca803428
Instruction Fuzzy Hash: 7C218B72204696A6C331BB269C02FFB73E89F95304F106427F949BB083EB51ED85C3A1

Function 00F137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F13840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F13850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F13876

Strings

Listbox, xrefs: 00F1380F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction ID: 6d72a87f726a8a995fa3398c1d1a9f015b4b40ef8f3861e49ba887ac6c2872e6
Opcode Fuzzy Hash: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction Fuzzy Hash: E0219272A14218BBEF219F54DC45FFB376EEF89760F118124F9049B190C675DC92A7A0

Function 00EF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EF4A5C
SetErrorMode.KERNEL32(00000000,?,?,00F1CC08), ref: 00EF4AD0

Strings

%lu, xrefs: 00EF4A6F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction ID: cc97321c52c6226d41ec9ac6b560e97d11ba2619a159f88a8be6edc5a9d25226
Opcode Fuzzy Hash: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction Fuzzy Hash: 74318575A40109AFDB10DF54C885EBA7BF8EF05308F148099F909EB252D771ED45CBA1

Function 00F141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F1424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F14264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F14271

Strings

msctls_trackbar32, xrefs: 00F14226

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction ID: 5daec33638e5d281114f7bd988d1571bd14669899e1dfb57a40a7cd417b12c22
Opcode Fuzzy Hash: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction Fuzzy Hash: E6110631640248BEEF205F29CC06FEB3BACEFD5B64F110114FA55E2090D271EC91AB10

Function 00EE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Part of subcall function 00EE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
Part of subcall function 00EE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
Part of subcall function 00EE2DA7: GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
Part of subcall function 00EE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

GetFocus.USER32 ref: 00EE2F78

Part of subcall function 00EE2DEE: GetParent.USER32(00000000), ref: 00EE2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EE2FC3
EnumChildWindows.USER32(?,00EE303B), ref: 00EE2FEB

Strings

%s%d, xrefs: 00EE2FFF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction ID: 4a874baa2bd35a6b4c3327a3fe8e66fbe42b00a2941b6c8a0925899fc9d7fc3e
Opcode Fuzzy Hash: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction Fuzzy Hash: F711B7756002496BCF147F718C89EED77AAAF94318F049079FA0DBB252DE3099459B60

Function 00F15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158EE
DrawMenuBar.USER32(?), ref: 00F158FD

Strings

0, xrefs: 00F1588F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 72ee150c3b0056bce56f9f75e53d074ed81c2cf467b9ee8ae69725990440c4cf
Instruction ID: 6241660ca2b519e4c092a6c6818b4ff7fadaaec7e9d1013c98a26ee92464f2b4
Opcode Fuzzy Hash: 72ee150c3b0056bce56f9f75e53d074ed81c2cf467b9ee8ae69725990440c4cf
Instruction Fuzzy Hash: D2016D32500218EFDB219F11DC44BEEBBB9FB85760F148099E849D6151DB308AC4EF62

Function 00EDD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EDD3BF
FreeLibrary.KERNEL32 ref: 00EDD3E5

Strings

X64, xrefs: 00EDD2A8
GetSystemWow64DirectoryW, xrefs: 00EDD3B9

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction ID: 25249b3b2fd4db5e1726f8f84903397c3c8b556ac02147c6b462ae118e7f9fd0
Opcode Fuzzy Hash: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction Fuzzy Hash: 70F02B318CD621EBDB7516108C64EE97324EF10705F5AB56BFC02F2315E720CD86A6D2

Function 00EE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction ID: 422b0ff8e81a640b5ae0819a801a44d96df48af9712c6595ff1785831b7eb0d8
Opcode Fuzzy Hash: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction Fuzzy Hash: 2DC16B75A0024AEFDB14CFA5C894EAEB7B5FF48304F209598E505EB251D771EE81CB90

Function 00F0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F03459
CoUninitialize.OLE32 ref: 00F03463
VariantInit.OLEAUT32(?), ref: 00F0346E
VariantClear.OLEAUT32(?), ref: 00F0371B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 94aa99bf6c4d9c82eeaed3de5555012fa0e4ec873e18c7708a7d664f5f96cea6
Instruction ID: 059c44219a7594832bc00f4a6ccac819a997449372cde660ad7d6a59882aee84
Opcode Fuzzy Hash: 94aa99bf6c4d9c82eeaed3de5555012fa0e4ec873e18c7708a7d664f5f96cea6
Instruction Fuzzy Hash: 61A14F756043019FC710EF24C485A2AB7E9FF89714F148859F999AB3A2DB31ED01DB51

Function 00EE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE0608
CLSIDFromProgID.OLE32(?,?,00000000,00F1CC40,000000FF,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE062D
_memcmp.LIBVCRUNTIME ref: 00EE064E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction ID: 6934dbbf17f06018e19bfe838d0380f0b6fe40c4a2a5e955d74438a30084d824
Opcode Fuzzy Hash: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction Fuzzy Hash: 3D810971A0010AEFCB04DF94C984EEEB7B9FF89315F205558E516BB250DB71AE46CBA0

Function 00F0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F0A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F0A6BA

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F0A79C
CloseHandle.KERNEL32(00000000), ref: 00F0A7AB

Part of subcall function 00E9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EC3303,?), ref: 00E9CE8A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 992e7966903fc1c135442c42c174f079d2adb0ff9de2068bcbf4840808ebb9ca
Instruction ID: 7b146743f9bc791d617b12bde52b0f05e6d6f1af55e94e201a197a80dd9765ce
Opcode Fuzzy Hash: 992e7966903fc1c135442c42c174f079d2adb0ff9de2068bcbf4840808ebb9ca
Instruction Fuzzy Hash: 08518F71508300AFD714EF24C885E6BBBE8FF89754F04991DF589A7292EB30D904DB92

Function 00EC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC14C0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 10a890fbc05a19811c530fc78612a13e26a174ecfafbc7a13bc58d8147747a0a
Instruction ID: 61665c490442227b7884e0f065ee1abd6d82ddcb5d134ca824dfdab4f16032b5
Opcode Fuzzy Hash: 10a890fbc05a19811c530fc78612a13e26a174ecfafbc7a13bc58d8147747a0a
Instruction Fuzzy Hash: 1C412A31500100AADB296BF88D45FEE3AE5FF47374F1462ADF829F6293E63648425261

Function 00F16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F162E2
ScreenToClient.USER32(?,?), ref: 00F16315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F16382

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction ID: 2273d28715747dbad9e4f3d9fb8d9d25963457038195e74ad6a20fa1d4e9ea72
Opcode Fuzzy Hash: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction Fuzzy Hash: ED512974A00249AFDF14DF68D880AEE7BB5FB45360F108169F925DB2A0D770ED81EB90

Function 00F01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F01AFD
WSAGetLastError.WSOCK32 ref: 00F01B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F01B8A
WSAGetLastError.WSOCK32 ref: 00F01B94

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction ID: c11673be1ccb46cba034390742a08b4f2964ff309b40fb03a3dfa744bb32ff03
Opcode Fuzzy Hash: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction Fuzzy Hash: 4941B274640200AFEB20AF24C886F6977E5AF84718F54D488FA1AAF7D2D772DD41DB90

Function 00EBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction ID: f71e6b8f2ea340793ae57eee59f7d8d0216c930fbcb09e61f94734ab23c42fd9
Opcode Fuzzy Hash: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction Fuzzy Hash: 5E412871A00714AFD7249F78CC41BEBBBE9EF89710F10566EF151EB292E7B1A9018790

Function 00EF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EF5783
GetLastError.KERNEL32(?,00000000), ref: 00EF57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EF57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EF57FA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction ID: b92d1a2c4fc02383badd263a9a62d8c23b0d0a715a52f0779d56b33c564eae1c
Opcode Fuzzy Hash: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction Fuzzy Hash: D1412B39600654DFCB11EF15C444A5EBBE2AF89724B19D498EA5EAB362CB30FD40CB91

Function 00EBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EA82D9,?,00EA82D9,?,00000001,?,?,00000001,00EA82D9,00EA82D9), ref: 00EBD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EBD9AB
__freea.LIBCMT ref: 00EBD9B4

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction ID: 188a5191824f86fb7547bce7adb0df0cee26fdee329192d6581a9171feac039d
Opcode Fuzzy Hash: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction Fuzzy Hash: 5131AB72A0020AABDF289F65DC41EEF7BA5EB81714F054168FC04EA290EB75DD54CBA0

Function 00F152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F15352
GetWindowLongW.USER32(?,000000F0), ref: 00F15375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F15382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F153A8

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction ID: 4e7ab216a5f996dbe93eb4c5f8ef6518a62ce3266865bbaf02e1f1bc90b17fd8
Opcode Fuzzy Hash: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction Fuzzy Hash: 8831C435E55A0CEFEB349E54CC15BE83767AB84BA0F584106FA24971E1C7B1ADC0BB41

Function 00EEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00EEABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EEAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EEAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00EEACC6

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction ID: 2451d05a732cf722efaf123722c1ade529aa7ee806587d901a889faa74140c5f
Opcode Fuzzy Hash: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction Fuzzy Hash: 32312A30A4039C6FEF34CB668C047FAFBA5AB85314F2C622EE485721D1C375A9859792

Function 00F17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F1769A
GetWindowRect.USER32(?,?), ref: 00F17710
PtInRect.USER32(?,?,00F18B89), ref: 00F17720
MessageBeep.USER32(00000000), ref: 00F1778C

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction ID: cb72e16f0dc677fbf0bd07e3d9bf15d28472499780b0fe35f467528fa3865c81
Opcode Fuzzy Hash: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction Fuzzy Hash: 73417E35A053189FDB01EF59C894FE9BBF5BB49314F1581A8E5189B2A1C730A981EF90

Function 00F116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F116EB

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

GetCaretPos.USER32(?), ref: 00F116FF
ClientToScreen.USER32(00000000,?), ref: 00F1174C
GetForegroundWindow.USER32 ref: 00F11752

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction ID: efe26b5ec941fb38c0228bf6e5327c25e67412af95d4b1b95bbab39eaaaf8986
Opcode Fuzzy Hash: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction Fuzzy Hash: 84316F71E00149AFDB00EFA9C881CEEBBF9EF48304B6490A9E519E7251D731DE45CBA0

Function 00EEDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

_wcslen.LIBCMT ref: 00EEDFCB
_wcslen.LIBCMT ref: 00EEDFE2
_wcslen.LIBCMT ref: 00EEE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00EEE018

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 184a8ce35c62a51a07cd8e9be1579c67e33d9f91c4153b994927ae6e3241fbe6
Instruction ID: 77b2a3c4d10394b4c2ccce415aa413bfab86b97f83fde7e8364f20ff58ce374d
Opcode Fuzzy Hash: 184a8ce35c62a51a07cd8e9be1579c67e33d9f91c4153b994927ae6e3241fbe6
Instruction Fuzzy Hash: 7E21A671900218AFCB10DFA4D981BAEB7F8EF89750F145065E805BB385D7709D40CBA1

Function 00F18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetCursorPos.USER32(?), ref: 00F19001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ED7711,?,?,?,?,?), ref: 00F19016
GetCursorPos.USER32(?), ref: 00F1905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ED7711,?,?,?), ref: 00F19094

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction ID: 2f4584668dca944b6820a170f7dbfbc0ea8f2cc8bcd68a83c059714357eaa1c6
Opcode Fuzzy Hash: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction Fuzzy Hash: 32218035A00118AFDB25CFA5C868FEA7BB9FB49361F044065F90557261C371AD90FBA0

Function 00EED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F1CB68), ref: 00EED2FB
GetLastError.KERNEL32 ref: 00EED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F1CB68), ref: 00EED376

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction ID: dbae974abfbf6cd560fc85c35cf99fcffb4adf10a6ee8b25ea7a9baca61515bb
Opcode Fuzzy Hash: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction Fuzzy Hash: 5C21A1745482459F8310EF29CC818AEB7E4EE5A328F105A1DF499E72E1D731D945CB93

Function 00EE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
Part of subcall function 00EE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
Part of subcall function 00EE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
Part of subcall function 00EE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EE15BE
_memcmp.LIBVCRUNTIME ref: 00EE15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE1617
HeapFree.KERNEL32(00000000), ref: 00EE161E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction ID: 84fb9ca719b468c1c0fac546f2d2e7e7d2ef2306150f7efc9166af6c1393f1e7
Opcode Fuzzy Hash: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction Fuzzy Hash: BC218E31E40109EFDF00DFA6C945BEEB7B8EF44354F099499E445BB241E730AA45DB90

Function 00F12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F1280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F12840

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 97ca78cd34df33f997bc12a27992d0b336850b3fe8d6a7c3da27fd10b6468522
Instruction ID: 785ccd2bad7e075b0421f15bdfc14022064d879b37aa0000f45fb9800e5ee992
Opcode Fuzzy Hash: 97ca78cd34df33f997bc12a27992d0b336850b3fe8d6a7c3da27fd10b6468522
Instruction Fuzzy Hash: 78210331604114AFD7149B64CC44FEA7B9AEF45324F198158F42A8B2E2CB75FC92DBD0

Function 00EE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8D8C
Part of subcall function 00EE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE8DB2
Part of subcall function 00EE8D7D: lstrcmpiW.KERNEL32(00000000,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7923
lstrcpyW.KERNEL32(00000000,?,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7984

Strings

cdecl, xrefs: 00EE797B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: aad501293b90ed65f480e1e0faf5e2659f846b766569dd589845dc1188a43d03
Instruction ID: 8a4f561b3d343929d49c5365e23ebe98ed362204f6a25ce3a32d7b64be9d8dca
Opcode Fuzzy Hash: aad501293b90ed65f480e1e0faf5e2659f846b766569dd589845dc1188a43d03
Instruction Fuzzy Hash: 2711293A200389ABCB155F35DC44E7A77E9FF85354B11902AF886D7265EB32D801D791

Function 00F17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F17D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F17D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F17D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EFB7AD,00000000), ref: 00F17D6B

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction ID: ade470fd91f9c26888bc3bb2eded90a97c16a74ec3f215eec0af830f36298cf4
Opcode Fuzzy Hash: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction Fuzzy Hash: 7D11C032604718AFCB10AF28DC04AE63BA5BF45375B158724F939D72F0D7309991EB80

Function 00F15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F156BB
_wcslen.LIBCMT ref: 00F156CD
_wcslen.LIBCMT ref: 00F156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction ID: 5b1387672ce0836cf80a79ced7c3562f31502839b0f3febf881f6371ead7ea50
Opcode Fuzzy Hash: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction Fuzzy Hash: 38110672A00609D6DF20DF61CC81AEE77ACEF95B74F504026F905D6081E770D9C4EBA0

Function 00EB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb803bb3658e31e1122695a0760a33c38c338965f52c6f017c669a790004156
Instruction ID: 4bb58f5e53b1f6a28db80564c666ddfa0010aad2e1074fd90af741d7c3c1eeab
Opcode Fuzzy Hash: bdb803bb3658e31e1122695a0760a33c38c338965f52c6f017c669a790004156
Instruction Fuzzy Hash: C901D1B220A71A7EF62126786CD0FE7665CDF817BAF71236AF621B11D2DB60CC005170

Function 00EE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EE1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A8A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction ID: 5abddd354d64ec08bc4d07f5e3519d71ffe37cc5f92bae33b9900bec6c367070
Opcode Fuzzy Hash: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction Fuzzy Hash: 6411393AD01219FFEB10DBA5CD85FADBB78EB08750F2000A1EA04B7290D6716E90DB94

Function 00EEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EEE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EEE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EEE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EEE24D

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction ID: 3677ff9e5816c609f8665c3316ea0f4424cbc048425b18c45559f774b0b79f0c
Opcode Fuzzy Hash: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction Fuzzy Hash: 7911087690435CBBC7019FA9AC05BDE7FACAB4A315F008215FA24F3390D2B0DD0497A0

Function 00EAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00EACFF9,00000000,00000004,00000000), ref: 00EAD218
GetLastError.KERNEL32 ref: 00EAD224
__dosmaperr.LIBCMT ref: 00EAD22B
ResumeThread.KERNEL32(00000000), ref: 00EAD249

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction ID: ccf7ae5ef13e857f3d72857207330d6fd625219843e3b03fcb7a115017d45ce6
Opcode Fuzzy Hash: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction Fuzzy Hash: EE010876409108BBC7115BA5DC05BAA7A99DF8B330F105219F926BA0E0CB70A800C6B0

Function 00F19EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetClientRect.USER32(?,?), ref: 00F19F31
GetCursorPos.USER32(?), ref: 00F19F3B
ScreenToClient.USER32(?,?), ref: 00F19F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F19F7A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction ID: 85ea5d9d7ce9be1a865d4e8c9a279d888df6c484e6f5c322e21f2bbc86f4f611
Opcode Fuzzy Hash: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction Fuzzy Hash: AB11333290421ABBDB10EFA8C8999EE77B9FB05321F004455F911E3141D3B4BA82EBE1

Function 00E8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
GetStockObject.GDI32(00000011), ref: 00E86060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction ID: 3ca37400110e4a5d5696e9e5160cfa489887569780892c7e9872214bf0f298b0
Opcode Fuzzy Hash: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction Fuzzy Hash: 8211AD7210150CBFEF225FA48C54EEABB69FF083A8F015205FA0866150C732DC60EBA0

Function 00EA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EA3B56

Part of subcall function 00EA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00EA3AD2
Part of subcall function 00EA3AA3: ___AdjustPointer.LIBCMT ref: 00EA3AED

_UnwindNestedFrames.LIBCMT ref: 00EA3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00EA3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00EA3BA4

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: aced855509fe34021b5ebc2758200dfd440bc381eb152b1439bbc9d61a48e809
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0E012D72100148BBDF115EA5DC42EEB7FAAEF8E754F045014FE586A121C772E961DBA0

Function 00EB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E813C6,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue), ref: 00EB30A5
GetLastError.KERNEL32(?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000,00000364,?,00EB2E46), ref: 00EB30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000), ref: 00EB30BF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction ID: 5128057b5c68b63a735d8ca15ea0f461fc26a78923802421b9a0058200c5e58e
Opcode Fuzzy Hash: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction Fuzzy Hash: CA01F236785336ABCB315B79AC46AE77B98AF05BA5B215620F906F3140CB21D901C6E0

Function 00EE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EE747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EE7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EE74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EE74CA

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction ID: d13c4004dbf12b7cf7c3e304f132041dd003bb93fcbc89b2f82c015f36177acd
Opcode Fuzzy Hash: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction Fuzzy Hash: 2E11A1B5249358ABE720CF55DC08FD27FFCEB00B04F109569A6A6E6191D770E904DB90

Function 00EEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB126

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction ID: dec3061355e6b8f2970068d8751ec77724b201de5b16d7423135d2a417e1dae2
Opcode Fuzzy Hash: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction Fuzzy Hash: FC115B31C4166CE7CF04AFE6E9A87EFBB78FF49721F119086D941B2281CB305650AB91

Function 00F17E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F17E33
ScreenToClient.USER32(?,?), ref: 00F17E4B
ScreenToClient.USER32(?,?), ref: 00F17E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F17E8A

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fa5a01660b8709eb4702a1d69bd8cb73d1fd369ab6a9885bee8e50bcbd18c93c
Instruction ID: 274af1b8cfe5e42378b4646aaf8ce672d11d791852db8e6581f645868412d7b4
Opcode Fuzzy Hash: fa5a01660b8709eb4702a1d69bd8cb73d1fd369ab6a9885bee8e50bcbd18c93c
Instruction Fuzzy Hash: B11140B9D0020AAFDB41DF98C884AEEBBF9FB08310F509066E915E3210D775AA54DF90

Function 00EE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction ID: ed8b24a3bb138f5b5102ad63b35aa37f4c7d0cec4957ad7ff4a95c8a03ef7475
Opcode Fuzzy Hash: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction Fuzzy Hash: 9EE06D7158122C7BD7201BA39C0DEEB3E6CEB42BA1F015119B309E1080DBA08840D6F0

Function 00F18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F18887
LineTo.GDI32(?,?,?), ref: 00F18894
EndPath.GDI32(?), ref: 00F188A4
StrokePath.GDI32(?), ref: 00F188B2

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction ID: 407deb4269c702cde8323bf5a7fb3415053090d2231a11ff727375b73c8a02bb
Opcode Fuzzy Hash: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction Fuzzy Hash: B6F05E3608125CFADB125F94AC0AFCE3F59AF0A321F058000FB11A50E2C7755551EFE9

Function 00E998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E998CC
SetTextColor.GDI32(?,?), ref: 00E998D6
SetBkMode.GDI32(?,00000001), ref: 00E998E9
GetStockObject.GDI32(00000005), ref: 00E998F1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction ID: 3650c6d357416f47ce8a7ffb5b6500e60aee7ec8b2ad2c123cfa296a37d6e39e
Opcode Fuzzy Hash: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction Fuzzy Hash: 1EE065312C4244BADB215B74BC09BD83F11EB11736F14C21AF6F5640E1C3714641AB11

Function 00EE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EE1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EE11D9), ref: 00EE1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE164F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction ID: 946708fcb0dd44ee688651b9b2d2d0a4732a9ed6b58a24804d1dd4fd8685e3df
Opcode Fuzzy Hash: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction Fuzzy Hash: 95E08631641215DBD7201FA19D0DBC63B7CBF44795F16C848F245D9080D6344580DB90

Function 00EDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD858
GetDC.USER32(00000000), ref: 00EDD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction ID: 2691e23c50ad36f45d8ad22de96ab0f7cc821ce52ff8b36eedc434c084ad8667
Opcode Fuzzy Hash: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction Fuzzy Hash: 5AE01AB4844208EFCF41AFA0D8086ADBBF2FB08310F25E009E80EE7250C7384901BF90

Function 00EDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD86C
GetDC.USER32(00000000), ref: 00EDD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction ID: 7569b16628a86b25e83d5ab81bbb6298a9e3b66534f16e85a186659e8b8200ce
Opcode Fuzzy Hash: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction Fuzzy Hash: 51E09A75D44208DFCF51AFA0D8086ADBBF5BB08311B15A449E94EE7250C7385901AF90

Function 00EF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EF4ED4

Strings

*, xrefs: 00EF4E10
LPT, xrefs: 00EF4DFB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ecf7ea5c22c0aa50568f4acf073a3681406b8530c3e664a4cb0775465a6a8a6b
Instruction ID: 2dd5478f788eed110d0b51068e8e4d9784d63ca2a9cbf93f4bcf5c86c8b12dfb
Opcode Fuzzy Hash: ecf7ea5c22c0aa50568f4acf073a3681406b8530c3e664a4cb0775465a6a8a6b
Instruction Fuzzy Hash: 759163B5A002089FCB14DF54C484EBABBF1BF45318F19A099E549AF3A2D731ED85CB91

Function 00EAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EAE30D

Strings

pow, xrefs: 00EAE2E5, 00EAE302

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 40eaa614bacc2d59bc64537566e8b764ed7af0dabb411eb986b07a4a9782428a
Instruction ID: 4b87c2420fdb516b795c98db40094756e1f472ba6964d84cdf912a6357fd5937
Opcode Fuzzy Hash: 40eaa614bacc2d59bc64537566e8b764ed7af0dabb411eb986b07a4a9782428a
Instruction Fuzzy Hash: 5B518D61A0C20696CB157714C9013FB3BE8EF86784F30799CE0D67A7E8EB34DC959A46

Function 00E9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E9E1B1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction ID: ab430129ea2e2b6c74bd9bf34df5eed4c5f5ebc24d6e107b1bcd04e1f170aa0d
Opcode Fuzzy Hash: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction Fuzzy Hash: F0510F35900246DFDF19EF68C4856FA7BA8EF15314F246056E891BF3A0D6309D43CBA0

Function 00E9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E9F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E9F2BB

Strings

@, xrefs: 00E9F2AF

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction ID: e9536d5f82764b6782aee01dc97b0d5f123515965278f3c83ca0fbbfea5738c9
Opcode Fuzzy Hash: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction Fuzzy Hash: D25158715087489BE320AF10EC86BAFBBF8FF85314F91884DF1D961195EB308529CB66

Function 00F05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F057E0
_wcslen.LIBCMT ref: 00F057EC

Strings

CALLARGARRAY, xrefs: 00F057E6, 00F057EB

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 604c69a95b7002d68169f581a4d34207963725384a69251a31b43fcf097f7bb8
Instruction ID: 29d41d436f490faf058f4e880d571d73d1c6830caf156f6596b50dd018c59e63
Opcode Fuzzy Hash: 604c69a95b7002d68169f581a4d34207963725384a69251a31b43fcf097f7bb8
Instruction Fuzzy Hash: 74418F31E002099FCB14DFA9C8819BEBBF5EF59720F149069E905A7292E7709D81EF90

Function 00EFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EFD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EFD13A

Strings

|, xrefs: 00EFD10B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction ID: 48937a569583d5ff393ec80bb51349e46e0cb91368ae70f979029f2d044a79fb
Opcode Fuzzy Hash: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction Fuzzy Hash: EB313E71D01219ABCF15EFA4CC85AEEBFBAFF05304F001059F919B6162E731AA16DB60

Function 00F1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F13621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F1365C

Strings

static, xrefs: 00F135BC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2f577a30bbf56495057902ba1d7f86604b0747b2ed8882b2d590568481dba6dd
Instruction ID: 6d9ad86155f40873c570b6e1570f89870a70e8dcf9d29ff9e8cfb5ad4aec75c6
Opcode Fuzzy Hash: 2f577a30bbf56495057902ba1d7f86604b0747b2ed8882b2d590568481dba6dd
Instruction Fuzzy Hash: 0C318D71500204AEDB209F28DC80EFB73A9FF88764F10961DF9A997280DA35AD91E760

Function 00F14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F1461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F14634

Strings

', xrefs: 00F1458E

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction ID: fa6b251d15cde91ee2e2ad59dc00260e1e68d332b4c59e480bf7729d21b7a276
Opcode Fuzzy Hash: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction Fuzzy Hash: FC313975A0030A9FDF14CFA9C990BDABBB6FF49314F14406AE904AB381D770A981DF90

Function 00F131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F1327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F13287

Strings

Combobox, xrefs: 00F13249

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction ID: b7f5a3a828d63ac67e0d85b8869cf21a2fa9f6041ce12fbe39a259925de6d162
Opcode Fuzzy Hash: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction Fuzzy Hash: 1F11B2717002487FEF21AE54DC80EFB3BABEB983A4F104128F918A7290D6319D91A760

Function 00F13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

GetWindowRect.USER32(00000000,?), ref: 00F1377A
GetSysColor.USER32(00000012), ref: 00F13794

Strings

static, xrefs: 00F13757

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction ID: e431fca8ab70442329150aa6c2a77732c21614e7e3e846610a36da72c6d12ce1
Opcode Fuzzy Hash: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction Fuzzy Hash: 131126B261020AAFDF11DFA8CC46AEA7BB9FB08354F014914F955E2250E735E851ABA0

Function 00EFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EFCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EFCDA6

Strings

<local>, xrefs: 00EFCD66

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction ID: 5ebfdba4e108f4cc52866a1fe6e946e6534c2c1de0ed1e356286f913dcd6cee6
Opcode Fuzzy Hash: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction Fuzzy Hash: 2A11CA7124563D79D7344B668C45EFBBE5CEF127A4F705225B209A3080D7719941D6F0

Function 00F13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F134BA

Strings

edit, xrefs: 00F1348F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction ID: c892485430c2709bccf9f57297b3c74950d866c1420c27b5ce15aff143be680e
Opcode Fuzzy Hash: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction Fuzzy Hash: 92118F71500208AFEF218E64DC44AEB37AAEB15374F504324FA65931D4C771EC91A750

Function 00EE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EE6CB6
_wcslen.LIBCMT ref: 00EE6CC2

Strings

STOP, xrefs: 00EE6CBC, 00EE6CC1

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction ID: ed29957438f18279a2ba7bdc0d22c145b7d5da31d6d99bee9a96703528cf63fd
Opcode Fuzzy Hash: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction Fuzzy Hash: 4401E532A0056A8A8B10AEBECC409BFB7E5EA717547501924E856B6195EA31D8008750

Function 00EE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EE1D4C

Strings

ComboBox, xrefs: 00EE1CEB
ListBox, xrefs: 00EE1D16

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction ID: 5abf238541fa495c24b40a81edc998e23d6e6a7a4d3e64ad0b6471e074b50252
Opcode Fuzzy Hash: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction Fuzzy Hash: A1012831A0121CABCB08FBA0CC15CFEB7A8EB42350B141549F83A772C2EA3199488760

Function 00EE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EE1C46

Strings

ComboBox, xrefs: 00EE1BE5
ListBox, xrefs: 00EE1C10

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction ID: 80aec641248c1338f65fdfe9b778907aa37e379964ed33abd4107c0d56202f11
Opcode Fuzzy Hash: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction Fuzzy Hash: 0501FC71B8114C67CB08F7A1C955AFFB7E89B11340F241055B80AB3182EA359E4897B1

Function 00EE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EE1CC8

Strings

ComboBox, xrefs: 00EE1C69
ListBox, xrefs: 00EE1C94

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction ID: fe9a2471b851ba2db00959c643e64d76591834e4c7a56bc1a6ac9f3ed2ea5db3
Opcode Fuzzy Hash: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction Fuzzy Hash: 5101DB71A8115C67CB08F7A1CA15AFEF7E89B11740F342015B80AB3282EA35DF48D771

Function 00EE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EE1DD3

Strings

ComboBox, xrefs: 00EE1D75
ListBox, xrefs: 00EE1DA0

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction ID: 02fba8cb5a020c3aa9f7d5347d0e36273d37ca9c4d3532c71be5744046891be7
Opcode Fuzzy Hash: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction Fuzzy Hash: 2EF0F471E4121C67CB08F7A5CC56AFEB7A8AB01740F182915B82A732C2EB7199088360

Function 00F0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F07493
_wcslen.LIBCMT ref: 00F074B9

Strings

3, 3, 16, 1, xrefs: 00F07483

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction ID: a393cf95b76cf57307fedc1841e28a26db0a47753625b188f0545061f4e3e646
Opcode Fuzzy Hash: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction Fuzzy Hash: ECE02B4AE0436190D33136799CC197F96CDCFCA760710286BF981D62E6EAD4EDA1B3A1

Function 00EE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EE0B23

Strings

Error allocating memory., xrefs: 00EE0B1C
AutoIt, xrefs: 00EE0B17

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2fd53daed9e35d9c38925b3e2ff15e72a4ba31b10415d8de650f7045fa185952
Instruction ID: 9c95ca6d58d2c1e4cf332af3faebd04de6a0d8913e0fdf9eed9b02219be006ee
Opcode Fuzzy Hash: 2fd53daed9e35d9c38925b3e2ff15e72a4ba31b10415d8de650f7045fa185952
Instruction Fuzzy Hash: D9E0D83128430827D21036547C03FC97AC48F06F20F10542AFB48B94C38AD2649016EA

Function 00EA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EA0D71,?,?,?,00E8100A), ref: 00E9F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E8100A), ref: 00EA0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E8100A), ref: 00EA0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EA0D7F

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction ID: f03007771bf3f38d19915193f385efa6a80a7a4af81ae043513c254409a003b3
Opcode Fuzzy Hash: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction Fuzzy Hash: BCE092742007418BD3709FB8D4083827BE0BF05744F008D2DE486DA651DBF4F4889BD1

Function 00EF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EF302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EF3044

Strings

aut, xrefs: 00EF3038

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction ID: b1dae01cee86c5264dfcd6383f3634925e040678e4a6e32d9a6c4b7a5db013ce
Opcode Fuzzy Hash: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction Fuzzy Hash: 61D05EB254032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DAF4D984CAD1

Function 00EDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EDD220

Strings

X64, xrefs: 00EDD2A8
%.3d, xrefs: 00EDD22B

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction ID: 7c21b72076794662e09b988aff28b202543b6ef335a20dc6ffcde9473289aa99
Opcode Fuzzy Hash: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction Fuzzy Hash: 12D012A184C118EACF509AD0CC458F9B3BCEB18341F50A453FC06F1150E634C50A6B61

Function 00F12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1236C
PostMessageW.USER32(00000000), ref: 00F12373

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12365

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction ID: a0826131f315b1bab49423be98027003c920da7b980866f331c5285d3a3edf94
Opcode Fuzzy Hash: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction Fuzzy Hash: 8CD022323C03047BE264B370DC0FFC6BA449B00B00F0189027705EA1D0C8F0B800DA84

Function 00F12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F1233F

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12325

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction ID: 4351db4346060e745275b6525bd591625e5c134b4379c31f5aee8b3a06211bdc
Opcode Fuzzy Hash: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction Fuzzy Hash: 22D022323C0304BBE264B370DC0FFC6BA449B00B00F0189027709EA1D0C8F0A800DA80

Function 00EBBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EBBE93
GetLastError.KERNEL32 ref: 00EBBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBBEFC

Memory Dump Source

Source File: 00000000.00000002.1272869582.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1272855728.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272920911.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272961225.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1272979576.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction ID: 4a22cbc09a886a1a4b22e192855deae39f580b613f8502dfa6c1bad48c9b8425
Opcode Fuzzy Hash: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction Fuzzy Hash: 0841F73470020AAFCF218FA5CC44AFB7BA9EF42314F156169F959BB1A1DBB09D01DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1029294272&timestamp=1727736429547 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=X1TMqN8Nl_sl8XmDDScj0-8ksX8mi4l9QK_XaT5-FLctyAkmWXJ6O33T24Jo0Pwskbv5kkldMgX-Z5JBHCOdUGIi4VJTjyYHksnrD3ejRCtrgKw4LryhKg_6MsIzZ_ShpYeWy1hvAkXXyD4o7FDgks5m73Tt34WiOFhYUj0djWawTf7Klg
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CnWuoTPFlZNZotC&MD=W7ctRTEr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CnWuoTPFlZNZotC&MD=W7ctRTEr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
file.exe

Function 00E842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00E842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00EEDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Function 00EC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00EA4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Function 00F0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00E82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00EC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00E8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre