Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523166
MD5:	1355f9171ec60527abde0294c9bc90fa
SHA1:	15752f1a122b153511ddb621a7b8ebfb7fbb95d4
SHA256:	a26901e9e1f370fe377918d1975fcf06ec58bd980cb33ef00c368c3a051ba61d
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1355F9171EC60527ABDE0294C9BC90FA)

chrome.exe (PID: 6504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5324 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_77.5.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_77.5.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.1263308999.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_82.5.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_77.5.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_77.5.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_82.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_82.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_77.5.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_77.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_77.5.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_77.5.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_77.5.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_82.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_77.5.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_77.5.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_77.5.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_82.5.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_77.5.dr	String found in binary or memory: https://www.google.com
Source: chromecache_77.5.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_82.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_77.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_77.5.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1262705394.0000000001807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_77.5.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:49754 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00209576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00209576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1260752266.0000000000232000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64ce25fc-c
Source: file.exe, 00000000.00000000.1260752266.0000000000232000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b94042fa-a
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34910b57-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fee8d2d2-2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017BF40	0_2_0017BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E2046	0_2_001E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00178060	0_2_00178060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D8298	0_2_001D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AE4FF	0_2_001AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A676B	0_2_001A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00204873	0_2_00204873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019CAA0	0_2_0019CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017CAF0	0_2_0017CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018CC39	0_2_0018CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A6DD9	0_2_001A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018B119	0_2_0018B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001791C0	0_2_001791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191394	0_2_00191394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191706	0_2_00191706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019781B	0_2_0019781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177920	0_2_00177920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018997D	0_2_0018997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001919B0	0_2_001919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00197A4A	0_2_00197A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191C77	0_2_00191C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00197CA7	0_2_00197CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001FBE44	0_2_001FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A9EEE	0_2_001A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191F32	0_2_00191F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00179CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00190A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0018F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@33/30@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E37B5 GetLastError,FormatMessageW,

0_2_001E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D10BF AdjustTokenPrivileges,CloseHandle,		0_2_001D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001DD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001742A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 13%
Source: file.exe	Virustotal: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5324 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5324 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00190A76 push ecx; ret

0_2_00190A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0018F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00201C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96792

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AC2A2 FindFirstFileExW,	0_2_001AC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E68EE FindFirstFileW,FindClose,	0_2_001E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EEAA2 BlockInput,

0_2_001EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00194CE8 mov eax, dword ptr fs:[00000030h]

0_2_00194CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001D0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001909D5 SetUnhandledExceptionFilter,	0_2_001909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00190C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00190C21

Source: C:\Users\user\Desktop\file.exe

0_2_001D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DB226 SendInput,keybd_event,

0_2_001DB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001F22DA

Source: C:\Users\user\Desktop\file.exe

0_2_001D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00190698 cpuid

0_2_00190698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CD27A GetUserNameW,

0_2_001CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001AB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs	Win32.Trojan.Ludicrouz
file.exe	18%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.google.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
play.google.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe
https://www.google.com/intl/	1%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true&authuser=0	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true	0%	Virustotal		Browse
https://play.google.com/log?hasfast=true&authuser=0&format=json	0%	Virustotal		Browse
https://play.google.com/work/enroll?identifier=	0%	Virustotal		Browse
https://youtube.com/t/terms?gl=	0%	Virustotal		Browse
https://www.youtube.com/t/terms?chromeless=1&hl=	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
youtube-ui.l.google.com	142.250.186.110	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	142.250.186.174	true	false	0%, Virustotal, Browse	unknown
play.google.com	142.250.185.174	true	false	0%, Virustotal, Browse	unknown
www.google.com	172.217.16.196	true	false	0%, Virustotal, Browse	unknown
youtube.com	172.217.16.206	true	false	0%, Virustotal, Browse	unknown
accounts.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	0%, Virustotal, Browse	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_77.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_77.5.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/technologies/location-data	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_77.5.dr	false	1%, Virustotal, Browse	unknown
https://apis.google.com/js/api.js	chromecache_82.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_77.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_77.5.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/terms/service-specific	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_82.5.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_77.5.dr	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_77.5.dr	false	0%, Virustotal, Browse	unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_77.5.dr	false	0%, Virustotal, Browse	unknown
https://support.google.com/accounts?hl=	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_77.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.206	youtube.com	United States	15169	GOOGLEUS	false
142.250.186.174	www3.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	play.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.16.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523166
Start date and time:	2024-10-01 07:50:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@33/30@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 34 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 142.250.186.46, 173.194.76.84, 34.104.35.123, 142.250.185.99, 142.250.185.163, 142.250.185.138, 142.250.186.42, 142.250.181.234, 216.58.206.42, 172.217.23.106, 142.250.186.74, 142.250.185.106, 172.217.16.138, 142.250.185.234, 142.250.184.234, 142.250.185.74, 172.217.18.10, 142.250.186.170, 142.250.185.202, 142.250.184.202, 142.250.185.170, 142.250.186.106, 216.58.206.74, 142.250.186.138, 172.217.16.202, 217.20.57.18, 74.125.71.84, 142.250.184.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://www.afghanhayatrestaurant.com.au/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3D	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse
	https://www.polorestobar.com/	Get hash	malicious	Unknown	Browse
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://www.afghanhayatrestaurant.com.au/	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3D	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://www.polorestobar.com/	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789948381047936
Encrypted:	false
SSDEEP:	3072:W0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:WlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	A97373CC3F8795654F3C8C6B57066AE7
SHA1:	F7BECFDDE230EF537E8745B598DCED737C490C3C
SHA-256:	A1B0568D555DC4B4AF4CC5A6C41E838B702816445C04FF002C8A13058387F311
SHA-512:	47C76D26F4F9F206F93186800E06D3DBE1FDD0A1BA23FB9A3556390DE7F86C1FFB2C78FE307FB944C690475BFBAE9738C38233E00FDDFA9775A3B2030081D7F1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEQAz5EZnBR6fK6LIn1v8ILsATM3g/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579781779284129
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	1355f9171ec60527abde0294c9bc90fa
SHA1:	15752f1a122b153511ddb621a7b8ebfb7fbb95d4
SHA256:	a26901e9e1f370fe377918d1975fcf06ec58bd980cb33ef00c368c3a051ba61d
SHA512:	2a5a7b069f7f26ecd58b0dded6bd529cff4d47a914817403ab58ae862028658eaf4e4b6bba215b51370105c3f743b8f71de8b1ff6fc969c5e954a66253d8d220
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagT4:9qDEvCTbMWu7rQYlBQcBiT6rprG8a44
TLSH:	16159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB87F1 [Tue Oct 1 05:26:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8974D105B3h
jmp 00007F8974D0FEBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8974D1009Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8974D1006Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8974D12C5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8974D12CA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8974D12C91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	0c80dab3b3cdd729b907330fe8c77020	False	0.2860416666666667	data	5.163985740645173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x874	data			1.005083179297597
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:50:57.670461893 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 07:50:57.967387915 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:50:57.968079090 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:50:58.140038013 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:01.688534975 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:02.061122894 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:02.482959986 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 07:51:02.805504084 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:04.305815935 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:04.366306067 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:04.366353989 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:04.366400003 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:04.384074926 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:04.384094954 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.020091057 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.021991014 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.022015095 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.022396088 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.022450924 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.023416996 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.023493052 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.028362989 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.028418064 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.028832912 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.028841019 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.117264032 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.306814909 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.307246923 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.307851076 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.317440033 CEST	49702	443	192.168.2.7	172.217.16.206
Oct 1, 2024 07:51:05.317459106 CEST	443	49702	172.217.16.206	192.168.2.7
Oct 1, 2024 07:51:05.327476025 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.327497005 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.327610970 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.327816010 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.327822924 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.958511114 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.958803892 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.958817959 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.959199905 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.959362030 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.959939957 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.960052967 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.961250067 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.961250067 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:05.961263895 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:05.961308956 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.021231890 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:06.021241903 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.188488007 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:06.261338949 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.261364937 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.261420012 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:06.261429071 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.261532068 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:06.261678934 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:06.263660908 CEST	49706	443	192.168.2.7	142.250.186.110
Oct 1, 2024 07:51:06.263676882 CEST	443	49706	142.250.186.110	192.168.2.7
Oct 1, 2024 07:51:07.101656914 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.101700068 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.101799965 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.102037907 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.102056026 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.295269966 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:07.576253891 CEST	49674	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:07.576312065 CEST	49675	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:07.735028982 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.735352039 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.735379934 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.736416101 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.736469030 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.737620115 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.737673998 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.748162031 CEST	49672	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:07.779422998 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:07.779448986 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:07.826278925 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:09.633049965 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:09.633085012 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:09.633239985 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:09.634923935 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:09.634937048 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.213257074 CEST	443	49699	104.98.116.138	192.168.2.7
Oct 1, 2024 07:51:10.213418961 CEST	49699	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:10.283092976 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.283158064 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.288079977 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.288096905 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.288314104 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.342679024 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.344984055 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.391392946 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.556327105 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.556504965 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.556612015 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.559735060 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.559752941 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.559777975 CEST	49714	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.559784889 CEST	443	49714	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.609117985 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.609133005 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:10.609281063 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.609474897 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:10.609481096 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.246568918 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.246640921 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.248063087 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.248070955 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.248338938 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.252428055 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.299395084 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.523195028 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.523255110 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.523305893 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.524312973 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.524312973 CEST	49719	443	192.168.2.7	184.28.90.27
Oct 1, 2024 07:51:11.524319887 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:11.524327993 CEST	443	49719	184.28.90.27	192.168.2.7
Oct 1, 2024 07:51:12.092011929 CEST	49671	443	192.168.2.7	204.79.197.203
Oct 1, 2024 07:51:13.241707087 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.241715908 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.241765976 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.242108107 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.242115021 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.253662109 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:13.866585016 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.868455887 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.868467093 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.868920088 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.868978024 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.869612932 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.869693995 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.870788097 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.870877028 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.871123075 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:13.871129990 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:13.920754910 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.190745115 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.190788984 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.190897942 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.193514109 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.193522930 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.194796085 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.196027040 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.196033001 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.201225042 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.201359034 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.205859900 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.205864906 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.207490921 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.209856033 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.209861994 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.209938049 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.211838007 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.211911917 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.213855982 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.213860989 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.214147091 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.273082018 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.273122072 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.273857117 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.273865938 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.276860952 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.277534008 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.277606010 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.282088995 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.282135963 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.282215118 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.282531977 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.289824009 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.289897919 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.296078920 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.296148062 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.296241045 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.301028013 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.301090956 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.301101923 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.307507038 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.307543993 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.307549000 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.307636976 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.307723999 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.737437010 CEST	49727	443	192.168.2.7	142.250.186.174
Oct 1, 2024 07:51:14.737462997 CEST	443	49727	142.250.186.174	192.168.2.7
Oct 1, 2024 07:51:14.751214027 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.751241922 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:14.751322031 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.752528906 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.752551079 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:14.819559097 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.819607019 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:14.819699049 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.820091963 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:14.820101976 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.390024900 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.391407967 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.391422033 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.391757965 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.391825914 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.392427921 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.392477036 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.393582106 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.393635035 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.393841028 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.393847942 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.436223030 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.665740967 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.666143894 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.666161060 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.666527987 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.666598082 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.667222023 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.667274952 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.667417049 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.667463064 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.667787075 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.667792082 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.692958117 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.693547964 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.693558931 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.693571091 CEST	443	49730	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.693609953 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.693638086 CEST	49730	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.694562912 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.694607019 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.694664955 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.695041895 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.695059061 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.718614101 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.973666906 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.973995924 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.974092007 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.974236012 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.974261999 CEST	443	49731	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.974287033 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.974335909 CEST	49731	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.975193024 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.975244999 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:15.975320101 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.975881100 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:15.975893974 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.329936028 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.330166101 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.330183983 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.330576897 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.330636978 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.331275940 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.331320047 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.331454039 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.331657887 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.331666946 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.331682920 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.336736917 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.390912056 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.390932083 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.436310053 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.557435989 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.558408976 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.558490992 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.559350967 CEST	49734	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.559370041 CEST	443	49734	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.615866899 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.616360903 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.616384029 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.616741896 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.616806030 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.617434978 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.617481947 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.617631912 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.617688894 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.617856979 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.617863894 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.617881060 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.659400940 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.671128035 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.792884111 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:16.833867073 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.834609985 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:16.834670067 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.835416079 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:16.835498095 CEST	49737	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:16.835517883 CEST	443	49737	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:17.058984995 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059029102 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059056044 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059079885 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059124947 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:17.059139967 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059156895 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:17.059391022 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.059444904 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:17.220333099 CEST	49708	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:51:17.220367908 CEST	443	49708	172.217.16.196	192.168.2.7
Oct 1, 2024 07:51:17.968605995 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:17.968640089 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:17.968709946 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:17.970613956 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:17.970623016 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:18.612071991 CEST	49699	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:18.612775087 CEST	49742	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:18.612802029 CEST	443	49742	104.98.116.138	192.168.2.7
Oct 1, 2024 07:51:18.613135099 CEST	49742	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:18.615258932 CEST	49742	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:51:18.615268946 CEST	443	49742	104.98.116.138	192.168.2.7
Oct 1, 2024 07:51:18.616906881 CEST	443	49699	104.98.116.138	192.168.2.7
Oct 1, 2024 07:51:18.790982008 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:18.791044950 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:18.794208050 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:18.794218063 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:18.794573069 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:18.842499018 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:19.794855118 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:19.839400053 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062506914 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062520981 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062527895 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062557936 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062598944 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.062606096 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062608957 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062640905 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.062665939 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.062808037 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.062841892 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.063157082 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.063198090 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.063298941 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.833542109 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.833571911 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:20.833614111 CEST	49739	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:20.833621025 CEST	443	49739	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:22.246876001 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.246912003 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.247005939 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.247333050 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.247349977 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.894861937 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.901483059 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.901515007 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.901910067 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.908710003 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.908832073 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:22.909677029 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.909713984 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:22.909732103 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:23.379370928 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:23.379519939 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:23.380337000 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:23.380337000 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:23.686470985 CEST	49748	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:23.686507940 CEST	443	49748	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:25.170749903 CEST	49677	443	192.168.2.7	20.50.201.200
Oct 1, 2024 07:51:45.270349979 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.270411968 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:45.270498991 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.270781040 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.270796061 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:45.877119064 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.877181053 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:45.877294064 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.877618074 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:45.877629995 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.171312094 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.173093081 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.173106909 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.173502922 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.173810005 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.173873901 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.173965931 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.173990011 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.173996925 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.472162008 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.472321033 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.472414017 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.478976011 CEST	49751	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.479001045 CEST	443	49751	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.490076065 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.490128994 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.490206003 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.490727901 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.490741014 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.853786945 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.854199886 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.854218960 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.854706049 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.855021954 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.855091095 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:46.855186939 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.855231047 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:46.855237961 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.163964987 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.164338112 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.164366007 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.164725065 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.165030956 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.165080070 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.165194035 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.165215015 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.165218115 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.168628931 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.169470072 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.169542074 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.169657946 CEST	49752	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.169675112 CEST	443	49752	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.382206917 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.382742882 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:47.382797003 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.382919073 CEST	49753	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:51:47.382936954 CEST	443	49753	142.250.185.174	192.168.2.7
Oct 1, 2024 07:51:57.268584013 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:57.268627882 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:57.268723011 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:57.269093990 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:57.269103050 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.058646917 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.058849096 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.062623024 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.062635899 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.062882900 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.068878889 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.115395069 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.395920038 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.395940065 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.395953894 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.396015882 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.396044016 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.396064997 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.396085024 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.396967888 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.397001982 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.397028923 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.397037029 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.397063017 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.397640944 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.397676945 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.466454029 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.466485023 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:51:58.466500998 CEST	49754	443	192.168.2.7	4.175.87.197
Oct 1, 2024 07:51:58.466507912 CEST	443	49754	4.175.87.197	192.168.2.7
Oct 1, 2024 07:52:01.696485043 CEST	443	49742	104.98.116.138	192.168.2.7
Oct 1, 2024 07:52:01.696542978 CEST	49742	443	192.168.2.7	104.98.116.138
Oct 1, 2024 07:52:07.157546043 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:07.157596111 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:07.157720089 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:07.157927990 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:07.157939911 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:08.306802034 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:08.321680069 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:08.321696043 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:08.322082996 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:08.373577118 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:08.416570902 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:08.416707993 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:08.467413902 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:15.680794954 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:15.680850029 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:15.680905104 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:15.681417942 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:15.681437969 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.318305969 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.318559885 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.318592072 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.320039034 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.321218014 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.321399927 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.322029114 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.322139978 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.322148085 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.630193949 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.630865097 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:16.630934000 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.631135941 CEST	49757	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:16.631155968 CEST	443	49757	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:17.782835960 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:17.782895088 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:17.782977104 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:17.783390999 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:17.783401966 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.220922947 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:18.221009970 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:18.221046925 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:18.420229912 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.549452066 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.549499989 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.551165104 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.639230967 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.642353058 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.642529011 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.642899990 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.642937899 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.642947912 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.864027977 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.864634991 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:18.864695072 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.867655993 CEST	49759	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:18.867681026 CEST	443	49759	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:31.161591053 CEST	49756	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:52:31.161618948 CEST	443	49756	172.217.16.196	192.168.2.7
Oct 1, 2024 07:52:46.427293062 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:46.427340031 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:46.427438974 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:46.427879095 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:46.427894115 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.057477951 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.057981968 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.058060884 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.058465004 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.058773041 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.058847904 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.058957100 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.059015036 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.059027910 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.356210947 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.357346058 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:47.357417107 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.357520103 CEST	49761	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:47.357539892 CEST	443	49761	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:50.594880104 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:50.594945908 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:50.595052004 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:50.595360041 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:50.595376968 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.225128889 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.225411892 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.225441933 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.225821972 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.226095915 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.226145983 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.226254940 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.226272106 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.226277113 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.523094893 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.523659945 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:52:51.523737907 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.523840904 CEST	49762	443	192.168.2.7	142.250.185.174
Oct 1, 2024 07:52:51.523861885 CEST	443	49762	142.250.185.174	192.168.2.7
Oct 1, 2024 07:53:07.219397068 CEST	49763	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:53:07.219440937 CEST	443	49763	172.217.16.196	192.168.2.7
Oct 1, 2024 07:53:07.219588995 CEST	49763	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:53:07.219917059 CEST	49763	443	192.168.2.7	172.217.16.196
Oct 1, 2024 07:53:07.219929934 CEST	443	49763	172.217.16.196	192.168.2.7
Oct 1, 2024 07:53:07.868382931 CEST	443	49763	172.217.16.196	192.168.2.7
Oct 1, 2024 07:53:07.921124935 CEST	49763	443	192.168.2.7	172.217.16.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:51:04.210196018 CEST	61927	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:04.210361004 CEST	51212	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:04.215989113 CEST	53	50959	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:04.216881037 CEST	53	61927	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:04.218278885 CEST	53	51212	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:04.218631983 CEST	53	52704	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:05.319766998 CEST	56216	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:05.320005894 CEST	56073	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:05.326322079 CEST	53	56216	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:05.326978922 CEST	53	56073	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:05.371014118 CEST	53	60216	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:07.093318939 CEST	65226	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:07.093400002 CEST	54368	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:07.100291014 CEST	53	65226	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:07.100307941 CEST	53	54368	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:07.952447891 CEST	123	123	192.168.2.7	13.95.65.251
Oct 1, 2024 07:51:08.137028933 CEST	123	123	13.95.65.251	192.168.2.7
Oct 1, 2024 07:51:10.560928106 CEST	53	60443	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:13.207657099 CEST	65181	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:13.208031893 CEST	55008	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:13.214989901 CEST	53	55008	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:13.219799995 CEST	53	65181	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:14.742449045 CEST	53689	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:14.742728949 CEST	61586	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:51:14.749135017 CEST	53	53689	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:14.750086069 CEST	53	61586	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:17.244951010 CEST	53	54927	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:22.444931984 CEST	53	63342	1.1.1.1	192.168.2.7
Oct 1, 2024 07:51:41.404077053 CEST	53	64350	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:02.178462029 CEST	138	138	192.168.2.7	192.168.2.255
Oct 1, 2024 07:52:02.759990931 CEST	53	59536	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:04.036067963 CEST	53	60349	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:15.503221989 CEST	53499	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:52:15.503403902 CEST	58235	53	192.168.2.7	1.1.1.1
Oct 1, 2024 07:52:15.679996967 CEST	53	54583	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:15.680140018 CEST	53	58235	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:15.680183887 CEST	53	53499	1.1.1.1	192.168.2.7
Oct 1, 2024 07:52:31.169519901 CEST	53	53967	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 07:51:04.210196018 CEST	192.168.2.7	1.1.1.1	0x6c7f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:04.210361004 CEST	192.168.2.7	1.1.1.1	0xc796	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 07:51:05.319766998 CEST	192.168.2.7	1.1.1.1	0xa7fd	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.320005894 CEST	192.168.2.7	1.1.1.1	0xb6f2	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 07:51:07.093318939 CEST	192.168.2.7	1.1.1.1	0x285	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:07.093400002 CEST	192.168.2.7	1.1.1.1	0x4b5b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 07:51:13.207657099 CEST	192.168.2.7	1.1.1.1	0x1fbe	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:13.208031893 CEST	192.168.2.7	1.1.1.1	0x3cf3	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 07:51:14.742449045 CEST	192.168.2.7	1.1.1.1	0xa201	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:14.742728949 CEST	192.168.2.7	1.1.1.1	0x12ed	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 07:52:15.503221989 CEST	192.168.2.7	1.1.1.1	0xda62	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:52:15.503403902 CEST	192.168.2.7	1.1.1.1	0x451b	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 07:51:04.216881037 CEST	1.1.1.1	192.168.2.7	0x6c7f	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:04.218278885 CEST	1.1.1.1	192.168.2.7	0xc796	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326322079 CEST	1.1.1.1	192.168.2.7	0xa7fd	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326978922 CEST	1.1.1.1	192.168.2.7	0xb6f2	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 07:51:05.326978922 CEST	1.1.1.1	192.168.2.7	0xb6f2	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 07:51:07.100291014 CEST	1.1.1.1	192.168.2.7	0x285	No error (0)	www.google.com		172.217.16.196	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:07.100307941 CEST	1.1.1.1	192.168.2.7	0x4b5b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 07:51:13.214989901 CEST	1.1.1.1	192.168.2.7	0x3cf3	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 07:51:13.219799995 CEST	1.1.1.1	192.168.2.7	0x1fbe	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 07:51:13.219799995 CEST	1.1.1.1	192.168.2.7	0x1fbe	No error (0)	www3.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:51:14.749135017 CEST	1.1.1.1	192.168.2.7	0xa201	No error (0)	play.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:52:15.680183887 CEST	1.1.1.1	192.168.2.7	0xda62	No error (0)	play.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	172.217.16.206	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:05 UTC	847	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:05 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 05:51:05 GMT Date: Tue, 01 Oct 2024 05:51:05 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	142.250.186.110	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:05 UTC	865	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:06 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 05:51:06 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 06:21:06 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=wcCDqedRDlY; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=CBeiQLky1Ik; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 05:51:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgTw%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 05:51:06 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49714	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:10 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 05:51:10 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=212080 Date: Tue, 01 Oct 2024 05:51:10 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49719	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:11 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 05:51:11 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=212023 Date: Tue, 01 Oct 2024 05:51:11 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 05:51:11 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49727	142.250.186.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:13 UTC	1232	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1731286821&timestamp=1727761872549 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:14 UTC	1958	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-gzKXrG7ZXSAW3DTW08QCHQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 05:51:14 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtDikmII1JBikPj6kkkLiJ3SZ7CGAHHSv_OsJUB8ufsS63UgLpK4wtoCxELcHJdmv9vOJtBxeb2ykl5SfmF8ZkpqXklmSWVKfm5iZl5yfn52ZmpxcWpRWWpRvJGBkYmBpZGRnoFFfIEBAD6vKdY" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 37 36 31 37 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 67 7a 4b 58 72 47 37 5a 58 53 41 57 33 44 54 57 30 38 51 43 48 51 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7617<html><head><script nonce="gzKXrG7ZXSAW3DTW08QCHQ">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 63 5b 31 5d 29 69 66 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b Data Ascii: c[1])if(b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 61 29 7d 2c 49 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 Data Ascii: a)},Ia=function(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}els
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 3f 61 2e 74 6f 4a 53 4f 4e 28 29 3a 49 61 28 61 29 7d 2c 53 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 Data Ascii: ?a.toJSON():Ia(a)},Sa=function(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 20 62 28 63 2b 28 66 7c 7c 22 22 29 2b 22 5f 22 2b 64 2b 2b 2c 66 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b Data Ascii: b(c+(f\|\|"")+"_"+d++,f)};return e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 Data Ascii: rn!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=f
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 6b 65 79 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 Data Ascii: key})};c.prototype.values=function(){return e(this,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=f
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 28 62 29 7b 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 62 29 3f 62 3d 3d 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 62 29 3a 21 31 7d 7d 29 3b 47 28 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 Data Ascii: (b){return Number.isFinite(b)?b===Math.floor(b):!1}});G("Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)i
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 66 2c 61 29 7d 3b 76 61 72 20 78 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 7c 7c 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d Data Ascii: f,a)};var xa=function(a,b){a.__closure__error__context__984382\|\|(a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({m
2024-10-01 05:51:14 UTC	1958	IN	Data Raw: 22 2c 20 22 29 3b 76 61 72 20 66 3d 64 5b 65 5d 3b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 66 29 7b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 66 3d 66 3f 22 6f 62 6a 65 63 74 22 3a 22 6e 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c Data Ascii: ", ");var f=d[e];switch(typeof f){case "object":f=f?"object":"null";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49730	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:15 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:15 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49731	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:15 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:15 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49734	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:16 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:16 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 31 38 37 34 30 38 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727761874085",null,null,null
2024-10-01 05:51:16 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=snQzUaj2gsNaXF0FXx3FFBFLysabE1xssb3ygtfJqMICegbexOJEsjNmM_i3r_V1phGw-ujXdNmaS-9nEHdM2s89Hf8ACKxlFs8QkuWIGrGODE7nghsWXWxVFmks8w9ka2oHvIjMxvvErd2xaAJgiZ15V6OmLwMWSpaGq9i-NeOiAKLyKj8; expires=Wed, 02-Apr-2025 05:51:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 05:51:16 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49737	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:16 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 05:51:16 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 31 38 37 34 31 36 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727761874165",null,null,null
2024-10-01 05:51:16 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=PKHYiUHWkvduJ07LWJqJEjOzY2hnvTZ8u_vxp4wGq4_WGhl7Vh55A9lDdjYRnKI0pw8sfmfti0WsfZ2Me89TasKQ40g9Qv4cja9tWNr0MQ85Z33ZqCyaTHaZZnII-Q2lEdMIQVDS511AR6C3gmBwGuiM_SWcHABsdY5yDWrgLflwxXYUWMs; expires=Wed, 02-Apr-2025 05:51:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 05:51:16 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49708	172.217.16.196	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:16 UTC	1210	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=snQzUaj2gsNaXF0FXx3FFBFLysabE1xssb3ygtfJqMICegbexOJEsjNmM_i3r_V1phGw-ujXdNmaS-9nEHdM2s89Hf8ACKxlFs8QkuWIGrGODE7nghsWXWxVFmks8w9ka2oHvIjMxvvErd2xaAJgiZ15V6OmLwMWSpaGq9i-NeOiAKLyKj8
2024-10-01 05:51:17 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 04:26:33 GMT Expires: Wed, 09 Oct 2024 04:26:33 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 5083 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 05:51:17 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 05:51:17 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-01 05:51:17 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 05:51:17 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-01 05:51:17 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49739	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ahgbDtugU7k3WPo&MD=cgRRYdmF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 05:51:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: a53f7c93-ba31-45f5-9fb7-0757e3f8df1f MS-RequestId: 5d7f1a6c-a465-4248-874d-9870772b4615 MS-CV: t1iKVuHMEE2gEZUE.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 05:51:19 GMT Connection: close Content-Length: 24490
2024-10-01 05:51:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 05:51:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49748	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:22 UTC	1295	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=PKHYiUHWkvduJ07LWJqJEjOzY2hnvTZ8u_vxp4wGq4_WGhl7Vh55A9lDdjYRnKI0pw8sfmfti0WsfZ2Me89TasKQ40g9Qv4cja9tWNr0MQ85Z33ZqCyaTHaZZnII-Q2lEdMIQVDS511AR6C3gmBwGuiM_SWcHABsdY5yDWrgLflwxXYUWMs
2024-10-01 05:51:22 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 36 31 38 37 31 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727761871000",null,null,null,
2024-10-01 05:51:23 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s; expires=Wed, 02-Apr-2025 05:51:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:23 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 05:51:23 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:23 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49751	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:46 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1298 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:51:46 UTC	1298	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 31 39 30 34 36 31 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727761904617",null,null,null
2024-10-01 05:51:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49752	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:46 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:51:46 UTC	1507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 31 39 30 35 38 32 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727761905820",null,null,null
2024-10-01 05:51:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49753	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:47 UTC	1286	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1037 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:51:47 UTC	1037	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-01 05:51:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:51:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:51:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:51:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49754	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:51:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ahgbDtugU7k3WPo&MD=cgRRYdmF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 05:51:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 64295015-9b4f-4bf4-bd40-82cb230e3029 MS-RequestId: 73e900ad-310e-4059-9766-20d9fcc1e821 MS-CV: MiZAfTx3Sku6f35a.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 05:51:57 GMT Connection: close Content-Length: 30005
2024-10-01 05:51:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 05:51:58 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49757	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:52:16 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1265 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:52:16 UTC	1265	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 36 33 30 35 35 32 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727766305523",null,null,null
2024-10-01 05:52:16 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:52:16 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:52:16 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:52:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49759	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:52:18 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1073 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:52:18 UTC	1073	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 36 33 30 37 38 30 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727766307803",null,null,null
2024-10-01 05:52:18 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:52:18 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:52:18 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:52:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49761	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:52:47 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1240 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:52:47 UTC	1240	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 36 33 33 36 34 34 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727766336447",null,null,null
2024-10-01 05:52:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:52:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:52:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:52:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49762	142.250.185.174	443	7196	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:52:51 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1220 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mPw403iprSWspuuMwwPdL7ks4AfVyopGVn3GUfxiaHAYF0Q1LFQJwAHx8C6JlPZ-kJGZ0hqXli1BjhRCHQQdf8RCSUn8pjqrXGVc_lCiB7pCf0023EZ3bFE3qhkfK1Zupl6kQGav4-n2QZVNU8GE0DDETZR5UREryrwf7qrDU0OmtUW4Jr2JYbjgh1s
2024-10-01 05:52:51 UTC	1220	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 36 36 33 34 30 36 31 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727766340615",null,null,null
2024-10-01 05:52:51 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 05:52:51 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 05:52:51 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 05:52:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:51:00
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x170000
File size:	917'504 bytes
MD5 hash:	1355F9171EC60527ABDE0294C9BC90FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:51:00
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:51:01
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	01:51:14
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5324 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	01:51:14
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1976,i,17972570215221199124,13710039879240288618,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.7%
Total number of Nodes:	1387
Total number of Limit Nodes:	30

Executed Functions

Function 001742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0017430D

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

GetCurrentProcess.KERNEL32(?,0020CB64,00000000,?,?), ref: 00174422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00174429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00174454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00174466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00174474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0017447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001744A0

Strings

|O, xrefs: 001B36F8
kernel32.dll, xrefs: 0017444F
GetNativeSystemInfo, xrefs: 00174460

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 58ce204a4ddec0f406fac80883bd5235147b5e9bb99d14c4340d7d33438d2a24
Instruction ID: dc421222772d450901a3d4097a2d5b51308edf961bd42b29c6e448499b468bb7
Opcode Fuzzy Hash: 58ce204a4ddec0f406fac80883bd5235147b5e9bb99d14c4340d7d33438d2a24
Instruction Fuzzy Hash: 90A1C47A90A3C0DFC715DF79BC4C1E57FA46B27740B1888D9E05593A62E7204AE8DB21

Function 001742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001750AA,?,?,00000000,00000000), ref: 001742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001750AA,?,?,00000000,00000000), ref: 001742C9
LoadResource.KERNEL32(?,00000000,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20), ref: 001B35BE
SizeofResource.KERNEL32(?,00000000,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20), ref: 001B35D3
LockResource.KERNEL32(001750AA,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20,?), ref: 001B35E6

Strings

SCRIPT, xrefs: 001742BF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1bb5185fe63824ab60481842e235c76934a583f6664e20b72a872420a1b1b8bc
Instruction ID: d20182632d72bca3b118bc1dc1a7843c62c4468ff4c9a6e226e733b6b1462477
Opcode Fuzzy Hash: 1bb5185fe63824ab60481842e235c76934a583f6664e20b72a872420a1b1b8bc
Instruction Fuzzy Hash: 0D118EB0200700BFD7218B65EC88F677BBDEBC6B51F208269F846D6691DB71DC508A20

Function 001B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00172B6B

Part of subcall function 00173A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00241418,?,00172E7F,?,?,?,00000000), ref: 00173A78

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00232224), ref: 001B2C10
ShellExecuteW.SHELL32(00000000,?,?,00232224), ref: 001B2C17

Strings

runas, xrefs: 001B2C0B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8cbc2260ce9daffb140b2efcc32d7a12d3ebee79ebe8b0607498cdd952ce8009
Instruction ID: 852690c877d6be9bebd0e846f1961fceb6fa458e839e5b7f3441cec1f9c352cd
Opcode Fuzzy Hash: 8cbc2260ce9daffb140b2efcc32d7a12d3ebee79ebe8b0607498cdd952ce8009
Instruction Fuzzy Hash: FF11B4712083056AC718FF60E856DAE77B4ABB1300F54842DF05E570A3CF31955A9752

Function 001DD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001DD501
Process32FirstW.KERNEL32(00000000,?), ref: 001DD50F
Process32NextW.KERNEL32(00000000,?), ref: 001DD52F
CloseHandle.KERNELBASE(00000000), ref: 001DD5DC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fb365f6d225c80abe00fe4c310c822a42f3a4e8f58dfda2d40d0b1e1c13edb8d
Instruction ID: 4f193af55ae3c2cc55351990f506dcfdaf45540549c954a41fc6334f90789608
Opcode Fuzzy Hash: fb365f6d225c80abe00fe4c310c822a42f3a4e8f58dfda2d40d0b1e1c13edb8d
Instruction Fuzzy Hash: A231A4711083009FD301EF54E885EAFBBF8EFA9354F14452DF589862A2EB719949CB93

Function 001DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,001B5222), ref: 001DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001DDBEE
FindClose.KERNEL32(00000000), ref: 001DDBFA

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 25114e049da994858b1020940748494090ee93a88cfe9d360fde9ce0032c326c
Instruction ID: bbc8dd6abf985f0671b4c9b3ce29bb232ba235f263612861e22c26d862ce29f4
Opcode Fuzzy Hash: 25114e049da994858b1020940748494090ee93a88cfe9d360fde9ce0032c326c
Instruction Fuzzy Hash: B8F0A070820A205BC2206B7CBC0E8BA776C9E02334F20470BF836C22E2EBB059548695

Function 00194CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000,?,001A28E9), ref: 00194D09
TerminateProcess.KERNEL32(00000000,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000,?,001A28E9), ref: 00194D10
ExitProcess.KERNEL32 ref: 00194D22

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 629dab41b21833747f82e61b38ad892c7019e8fdb96bc87fa1bc5e297917fbdc
Instruction ID: bbaaa1e6d8825f04b2e9f7d258f34cd24b6049ee703d7a6dc3fc36c60023d26b
Opcode Fuzzy Hash: 629dab41b21833747f82e61b38ad892c7019e8fdb96bc87fa1bc5e297917fbdc
Instruction Fuzzy Hash: 6CE0B675010248ABCF15AF94ED0DE587BA9FB66791B208154FC198A123CB35DE42CA80

Function 0017BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#$, xrefs: 001C07CE

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#$
API String ID: 3964851224-689578738
Opcode ID: fa6dbc8819d44de0ed068fcc524db90d32eb9830cea08f49a7a753969470d848
Instruction ID: fb42236583d402b9ea8d96f474ac03b8657a48d760a5665d17bfbd25b3463911
Opcode Fuzzy Hash: fa6dbc8819d44de0ed068fcc524db90d32eb9830cea08f49a7a753969470d848
Instruction Fuzzy Hash: A8A24570608341CFDB25DF28C480B2ABBF1BF99304F15896DE99A9B352D731E945CB92

Function 001FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FB1D4
_wcslen.LIBCMT ref: 001FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FB236
_wcslen.LIBCMT ref: 001FB332

Part of subcall function 001E05A7: GetStdHandle.KERNEL32(000000F6), ref: 001E05C6

_wcslen.LIBCMT ref: 001FB34B
_wcslen.LIBCMT ref: 001FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001FB3B6
GetLastError.KERNEL32(00000000), ref: 001FB407
CloseHandle.KERNEL32(?), ref: 001FB439
CloseHandle.KERNEL32(00000000), ref: 001FB44A
CloseHandle.KERNEL32(00000000), ref: 001FB45C
CloseHandle.KERNEL32(00000000), ref: 001FB46E
CloseHandle.KERNEL32(?), ref: 001FB4E3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8ce9c2a5aaf33d6de3bf24d53c53df8170bbe7b394b384e53b95353ab1e4de07
Instruction ID: b6f00aeddd972f2e937ca16f5dde427f33edd1a3c10e1c249bb002f5d813812a
Opcode Fuzzy Hash: 8ce9c2a5aaf33d6de3bf24d53c53df8170bbe7b394b384e53b95353ab1e4de07
Instruction Fuzzy Hash: 5EF1AB716083449FCB14EF24C891B6EBBE1BF85714F18855DF99A8B2A2CB31EC45CB52

Function 0017D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0017D807
timeGetTime.WINMM ref: 0017DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017DB28
TranslateMessage.USER32(?), ref: 0017DB7B
DispatchMessageW.USER32(?), ref: 0017DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017DB9F
Sleep.KERNEL32(0000000A), ref: 0017DBB1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 9e3668c1afe62cada979141e918fa22f0fca02048980bccbe68df9d5ed930f16
Instruction ID: 0d1a015d49e4996f20b2913d26e992925709f7a1016e62c9236accf1a8f91664
Opcode Fuzzy Hash: 9e3668c1afe62cada979141e918fa22f0fca02048980bccbe68df9d5ed930f16
Instruction Fuzzy Hash: 0E42F170608345EFD729CF24D888FAAB7F0BFA6304F54865DE55A87291C770E884CB92

Function 00172CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00172D07
RegisterClassExW.USER32(00000030), ref: 00172D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00172D42
InitCommonControlsEx.COMCTL32(?), ref: 00172D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00172D6F
LoadIconW.USER32(000000A9), ref: 00172D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00172D94

Strings

0, xrefs: 00172CE9
AutoIt v3 GUI, xrefs: 00172D23
+, xrefs: 00172CF0
TaskbarCreated, xrefs: 00172D37

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cdc4eabe24c26c7435a09b1a58955784a0868a33d8c5f1ae3a964e6670abe667
Instruction ID: 04e5f2f19f2ea23afb8d8216efcc16676e9afe56da3bdf74c6ddd0e9c7781de1
Opcode Fuzzy Hash: cdc4eabe24c26c7435a09b1a58955784a0868a33d8c5f1ae3a964e6670abe667
Instruction Fuzzy Hash: A721C3B5951318AFDB00DFA4E88DBDDBBB8FB09700F10821AF511A62A1D7B14594CF91

Function 001B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B039A: CreateFileW.KERNELBASE(00000000,00000000,?,001B0704,?,?,00000000,?,001B0704,00000000,0000000C), ref: 001B03B7

GetLastError.KERNEL32 ref: 001B076F
__dosmaperr.LIBCMT ref: 001B0776
GetFileType.KERNELBASE(00000000), ref: 001B0782
GetLastError.KERNEL32 ref: 001B078C
__dosmaperr.LIBCMT ref: 001B0795
CloseHandle.KERNEL32(00000000), ref: 001B07B5
CloseHandle.KERNEL32(?), ref: 001B08FF
GetLastError.KERNEL32 ref: 001B0931
__dosmaperr.LIBCMT ref: 001B0938

Strings

H, xrefs: 001B08BD

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: afa3b9906540d4982685610424e020189204898badbaff8d120d45427f11d8d2
Instruction ID: 80ec925cfb2534e68f8a57ae33ab40efbe3bbf4c9d2da1fb0d6b1af266086bb6
Opcode Fuzzy Hash: afa3b9906540d4982685610424e020189204898badbaff8d120d45427f11d8d2
Instruction Fuzzy Hash: B7A13836A141049FDF1AEF68D895BEE7BA0AB1A320F14015DF815DB2D1CB319D16CB91

Function 0017344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00173A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00241418,?,00172E7F,?,?,?,00000000), ref: 00173A78

Part of subcall function 00173357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00173379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0017356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001B31CE
RegCloseKey.ADVAPI32(?), ref: 001B3210
_wcslen.LIBCMT ref: 001B3277
_wcslen.LIBCMT ref: 001B3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00173560
\, xrefs: 001B328C
\Include\, xrefs: 00173527
Include, xrefs: 001B3184, 001B31C5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 13c782f8d7334258fc2080ed712455c44222f66ade7f7e38ee44b1cb72ee6782
Instruction ID: 303c4e4499c3c330e15d7ae51d22fd503fdb8005c6031834a9e0c02faf8b3151
Opcode Fuzzy Hash: 13c782f8d7334258fc2080ed712455c44222f66ade7f7e38ee44b1cb72ee6782
Instruction Fuzzy Hash: 5871AF71414300DEC314EF66EC869ABBBF8FFA6740F90456EF559931A1EB309A48CB52

Function 00172B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00172B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00172B9D
LoadIconW.USER32(00000063), ref: 00172BB3
LoadIconW.USER32(000000A4), ref: 00172BC5
LoadIconW.USER32(000000A2), ref: 00172BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00172BEF
RegisterClassExW.USER32(?), ref: 00172C40

Part of subcall function 00172CD4: GetSysColorBrush.USER32(0000000F), ref: 00172D07
Part of subcall function 00172CD4: RegisterClassExW.USER32(00000030), ref: 00172D31
Part of subcall function 00172CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00172D42
Part of subcall function 00172CD4: InitCommonControlsEx.COMCTL32(?), ref: 00172D5F
Part of subcall function 00172CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00172D6F
Part of subcall function 00172CD4: LoadIconW.USER32(000000A9), ref: 00172D85
Part of subcall function 00172CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00172D94

Strings

0, xrefs: 00172C0F
AutoIt v3, xrefs: 00172C2F
#, xrefs: 00172C16

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: be92b005b3bd2eb5f7375de143bf8e19b5347bbad2462a605e07e14184784721
Instruction ID: 103fa547b1b33bbd97310288d67b0dbd69346ef19eb97efc0558a5bca7afdcc6
Opcode Fuzzy Hash: be92b005b3bd2eb5f7375de143bf8e19b5347bbad2462a605e07e14184784721
Instruction Fuzzy Hash: DE214FB8E40314ABDB109F95FC8DA99BFB4FB09B50F10419AF500A66A0D3B105A0CF90

Function 00173170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0017316A,?,?), ref: 001731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0017316A,?,?), ref: 00173204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00173227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0017316A,?,?), ref: 00173232
CreatePopupMenu.USER32 ref: 00173246
PostQuitMessage.USER32(00000000), ref: 00173267

Strings

TaskbarCreated, xrefs: 0017322D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 389fb9e6ffa27c735db1f84b383e0d9fc2ae21dcbbf767c56a997e1a3b95ca7d
Instruction ID: 5f3d6b2d170eef7d29d1e30fdbfde1b0bc295b22d22fad964c1c3fb3b03c701b
Opcode Fuzzy Hash: 389fb9e6ffa27c735db1f84b383e0d9fc2ae21dcbbf767c56a997e1a3b95ca7d
Instruction Fuzzy Hash: 6D414D39260204B7DB196F78EC0DBB93B79E706340F648215F52A862A3C771CE94F762

Function 00171410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00171459
CoUninitialize.COMBASE ref: 001714F8
UnregisterHotKey.USER32(?), ref: 001716DD
DestroyWindow.USER32(?), ref: 001B24B9
FreeLibrary.KERNEL32(?), ref: 001B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001B254B

Strings

close all, xrefs: 00171454

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 84623a5cfde7d9582a3b99a2a302083eb4c1688a26454a8cb1673c130268e59f
Instruction ID: 35eb3396b6b4ad36bed689419b8d3effd9453c3b803c93770f94026a58a1bef2
Opcode Fuzzy Hash: 84623a5cfde7d9582a3b99a2a302083eb4c1688a26454a8cb1673c130268e59f
Instruction Fuzzy Hash: C8D1AF31701212DFCB29EF18C499AA9F7B0BF15700F25829DE84A6B252DB30ED16CF50

Function 00172C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00172C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00172CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00171CAD,?), ref: 00172CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00171CAD,?), ref: 00172CCF

Strings

AutoIt v3, xrefs: 00172C89, 00172C8E, 00172C8F
edit, xrefs: 00172CAC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cc94ccce4310513309d6a1dc2a3cf2ff4c03d25b49d54359279893986adf826d
Instruction ID: 226ca6bd6226909e470ed6d97aec919dd427b692b3114b325ec551044753993e
Opcode Fuzzy Hash: cc94ccce4310513309d6a1dc2a3cf2ff4c03d25b49d54359279893986adf826d
Instruction Fuzzy Hash: 60F0DAB95403947AEB311B17BC4CE777EBDD7C7F50B10009AF900A25A1C66118A4DAB0

Function 00173B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B83

Strings

Control Panel\Mouse, xrefs: 00173B3E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 138f0d445479a7193cba85915895900d14140cd3d5f2ba3f60d3c4be4278f98d
Instruction ID: bee6b08574d2818ae5e27a07925752f6cb5cb86ac0b9b0c9e2a7d17358ab894a
Opcode Fuzzy Hash: 138f0d445479a7193cba85915895900d14140cd3d5f2ba3f60d3c4be4278f98d
Instruction Fuzzy Hash: 89112AB5510208FFDB218FA5DC48AEEB7BCEF04744B10855AA819D7210D3319E40A7A0

Function 00173923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001B33A2

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00173A04

Strings

Line: , xrefs: 001B33EB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d31525b2e0dc1561e23bed4f56b4832c32cd31dfb6aa92f02247dc8fbe6ebfd6
Instruction ID: 7d6028626e6e47c2e871faa31a38b81b3520148950665e1e6cc3125f507e7d23
Opcode Fuzzy Hash: d31525b2e0dc1561e23bed4f56b4832c32cd31dfb6aa92f02247dc8fbe6ebfd6
Instruction Fuzzy Hash: 3631C371408300AAC725EB20EC49BEBB7F8AB95714F10856AF5AD83191EB709698C7C2

Function 00172DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001B2C8C

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 00172DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00172DC4

Strings

X, xrefs: 001B2C5A
`e#, xrefs: 001B2C85

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e#
API String ID: 779396738-321613518
Opcode ID: 03a2d1788a17a14a1ba757845bc70eb3ae78f9e0d78d647ed0010deb22bc3a1e
Instruction ID: 755bc7a3b96db0a2dc4afb779c1c4d03fbd78b76d28d3a794565c5c223b297e3
Opcode Fuzzy Hash: 03a2d1788a17a14a1ba757845bc70eb3ae78f9e0d78d647ed0010deb22bc3a1e
Instruction Fuzzy Hash: A121D571A10258AFCB11DF94C809BEE7BFCAF59304F008059E409B7241DBB45A89CF61

Function 0018FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00190668

Part of subcall function 001932A4: RaiseException.KERNEL32(?,?,?,0019068A,?,00241444,?,?,?,?,?,?,0019068A,00171129,00238738,00171129), ref: 00193304

__CxxThrowException@8.LIBVCRUNTIME ref: 00190685

Strings

Unknown exception, xrefs: 00190692

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: ec3202cb10f88f6a120fcd033d53ffc1177ddffc173d827a6362c62c57b06a31
Instruction ID: c56c6aab3181af3422bf777d930355ed042cffb13d78232b3b2d88ebb661c7c8
Opcode Fuzzy Hash: ec3202cb10f88f6a120fcd033d53ffc1177ddffc173d827a6362c62c57b06a31
Instruction Fuzzy Hash: 6EF06D3490030DBBCF05BAA4D846C9E7B6C9F55350B604635B924D65E2EF71EB66CAC0

Function 001710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00171BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00171BF4
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00171BFC
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00171C07
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00171C12
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00171C1A
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00171C22

Part of subcall function 00171B4A: RegisterWindowMessageW.USER32(00000004,?,001712C4), ref: 00171BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0017136A
OleInitialize.OLE32 ref: 00171388
CloseHandle.KERNEL32(00000000,00000000), ref: 001B24AB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a1c42883abd397cd8c92f820e585a8fd59953974b4017df520c50a6bda036696
Instruction ID: 0570f03d2eb3fc7fd4ebf8707339b205891f05e0d7a942b65d9875b207061098
Opcode Fuzzy Hash: a1c42883abd397cd8c92f820e585a8fd59953974b4017df520c50a6bda036696
Instruction Fuzzy Hash: A8719CBC9613048FD388EF79F8496953AF4FB9A344394822AD51AC72A2EB7044F0CF40

Function 001A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001A85CC,?,00238CC8,0000000C), ref: 001A8704
GetLastError.KERNEL32(?,001A85CC,?,00238CC8,0000000C), ref: 001A870E
__dosmaperr.LIBCMT ref: 001A8739

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 97017a14a0ceb8c2282415ba84cd350b6ba7f27c04fa7600b1ee2eac607fcacc
Instruction ID: 3cf2abb49e2ddbf053baa5b3aad2e5a5b19f7de67e8cc8438f6529c03c618bf9
Opcode Fuzzy Hash: 97017a14a0ceb8c2282415ba84cd350b6ba7f27c04fa7600b1ee2eac607fcacc
Instruction Fuzzy Hash: BB01263EA0962026EB646374A889B7E674A5FD3774F390259F91C8B1D3DFB0CC858190

Function 00181310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001817F6

Strings

CALL, xrefs: 001817C6

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: cc2b04ab77ca71bf65ffc056c78070cd88f8d825fadb428000de76b506e0930e
Instruction ID: 1121d6a208d2e73a011985e43222a9e6c6efa57208bcad63932ccac4daf73a10
Opcode Fuzzy Hash: cc2b04ab77ca71bf65ffc056c78070cd88f8d825fadb428000de76b506e0930e
Instruction Fuzzy Hash: A7228A71608241AFC714EF14C484B2ABBF5BF96314F24896DF49A8B3A1D771EA46CF42

Function 00173837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00173908

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6cb4202a7df90e0d76a55a79c0f9dca47ed3ede95c84de3d92bed5a1dd8e06cb
Instruction ID: 4efb5a65ad7474d3d253c933b2399734698d3061c14579f42104d7ef2617d8d0
Opcode Fuzzy Hash: 6cb4202a7df90e0d76a55a79c0f9dca47ed3ede95c84de3d92bed5a1dd8e06cb
Instruction Fuzzy Hash: D83191B45043019FD720DF24E888797BBF8FB49708F00096EF6A983250E771AA54DB52

Function 00174ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00174E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E9C
Part of subcall function 00174E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00174EAE
Part of subcall function 00174E90: FreeLibrary.KERNEL32(00000000,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EFD

Part of subcall function 00174E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E62
Part of subcall function 00174E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00174E74
Part of subcall function 00174E59: FreeLibrary.KERNEL32(00000000,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E87

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 21d26bd06d5ec07a960bbf392dd758e5905edb00d2cc0e180a02a1eccd947968
Instruction ID: 110fb176811284d2f9e57831adb8812dc1e1efa39fcbefebb9a75544e16f9c63
Opcode Fuzzy Hash: 21d26bd06d5ec07a960bbf392dd758e5905edb00d2cc0e180a02a1eccd947968
Instruction Fuzzy Hash: A111E332610305ABDF14FB64DC06FAD77B5AF60710F20C42EF54AA61C2EFB4AA559790

Function 001A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001A8440

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 74bd8a23746ed8dfeed2e42a02481455dc6b7e4ea6272b47d01a64e9ecf5562f
Instruction ID: 331d8fcbe32e720a86895ce58feaa019932448693f498b347dbfa76d8d2e46c0
Opcode Fuzzy Hash: 74bd8a23746ed8dfeed2e42a02481455dc6b7e4ea6272b47d01a64e9ecf5562f
Instruction Fuzzy Hash: E311187590420AAFCB05DF58E945A9A7BF9EF49314F114059F808AB312DB31EA11CBA5

Function 0019E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 702d0052419437bd937ca92d62c45816321bebc8491b732ae69805e6521d3c53
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8BF0F436510E10AADF317A69DC05B5A33D89FB3334F100719F824972D2DB70D8028AA5

Function 001A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 09e565c0982f75da8cbb3514a691ec8189c09f1adc060dfe24fad27d8ef20352
Instruction ID: 60a928235fc0e7965480236c6c107bff76e9b722d7a0c93314cdaf3153c5f333
Opcode Fuzzy Hash: 09e565c0982f75da8cbb3514a691ec8189c09f1adc060dfe24fad27d8ef20352
Instruction Fuzzy Hash: B5E02B3950122467DB312B779C04F9B3B48AF437B0F150334BC34924D1DB18DD0282E0

Function 00174F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174F6D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68bd4f6001d9bc022142023d686f40f797806a78fd3c52f963a7e6e8f9e43a95
Instruction ID: 88f3081698036c033e929a8fa2626397d1e66511e2f18d392b227613b99518f5
Opcode Fuzzy Hash: 68bd4f6001d9bc022142023d686f40f797806a78fd3c52f963a7e6e8f9e43a95
Instruction Fuzzy Hash: 51F01571105752CFDB389F68E494822FBF4AF15329320CA6EE1EE82621C7329844DB50

Function 001730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0017314E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 20b9a9c9d95f8831f316b8ac30bcab1bc1c201489afea56854b907eeb793c2c8
Instruction ID: 84d2c45707b7dcefe95e6f6ca3ae2edfb6f7f1f2543b39ada0ccfb6e1ea802a0
Opcode Fuzzy Hash: 20b9a9c9d95f8831f316b8ac30bcab1bc1c201489afea56854b907eeb793c2c8
Instruction Fuzzy Hash: 3CF0A7749003149FEB629F24EC497D57BFCB701B08F1000E5A14896182D77047C8CF41

Function 00172DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00172DC4

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bfa22cee1cf8d75f3865936ac51ffadfeb22bd95d7f5518b92d162a1e94ada5e
Instruction ID: b3a4c019cea6ecbee1584ef073f8dc12afca24574632bebd43f1e3128e79d5da
Opcode Fuzzy Hash: bfa22cee1cf8d75f3865936ac51ffadfeb22bd95d7f5518b92d162a1e94ada5e
Instruction Fuzzy Hash: B9E0CD726002245BC71093589C05FEA77EDDFC8790F154175FD09D7249DB60AD84C550

Function 00172B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00173837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00173908

Part of subcall function 0017D730: GetInputState.USER32 ref: 0017D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00172B6B

Part of subcall function 001730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0017314E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 04f16f6f4f3673358073dca75e64912ec866baceb760db3ea49e98d85205d8a6
Instruction ID: 4a49bd8a48f849c3d1427fd125ee02b8f1acfd44294e775a62584a215a34eb60
Opcode Fuzzy Hash: 04f16f6f4f3673358073dca75e64912ec866baceb760db3ea49e98d85205d8a6
Instruction Fuzzy Hash: 56E0862130424806C708BB75B85656DB7799BF2355F40953EF15A471A3CF64459A4252

Function 001B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001B0704,?,?,00000000,?,001B0704,00000000,0000000C), ref: 001B03B7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 413e2bb0f0a859c205b927571ad540893d4b2546e6a27699aac1c01fcf42b0a3
Instruction ID: e0be338f7c66944a2d3b4d451647c68d0f3571f28244f15afe0adbe717cbdd43
Opcode Fuzzy Hash: 413e2bb0f0a859c205b927571ad540893d4b2546e6a27699aac1c01fcf42b0a3
Instruction Fuzzy Hash: 5BD06C3204020DBBDF028F84ED06EDA3BAAFB48714F114100BE1856021C732E821AB90

Function 00171CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00171CBC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a757823319cd6f9eb0c193daab968315c348eab6f799324a45261f6cfb6e7318
Instruction ID: 9cb94bad57737d2fd0ef88793c8235d720e34cd35206cd711c301e693656f733
Opcode Fuzzy Hash: a757823319cd6f9eb0c193daab968315c348eab6f799324a45261f6cfb6e7318
Instruction Fuzzy Hash: 50C0923E280304EFF3188B80BC4EF107BA4E349F00F948001F609B95E3C3A22860EA50

Non-executed Functions

Function 00209576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0020961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0020969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002096C9
SendMessageW.USER32 ref: 002096F2
GetKeyState.USER32(00000011), ref: 0020978B
GetKeyState.USER32(00000009), ref: 00209798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002097AE
GetKeyState.USER32(00000010), ref: 002097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002097E9
SendMessageW.USER32 ref: 00209810
SendMessageW.USER32(?,00001030,?,00207E95), ref: 00209918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0020992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00209941
SetCapture.USER32(?), ref: 0020994A
ClientToScreen.USER32(?,?), ref: 002099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002099D6
ReleaseCapture.USER32 ref: 002099E1
GetCursorPos.USER32(?), ref: 00209A19
ScreenToClient.USER32(?,?), ref: 00209A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00209A80
SendMessageW.USER32 ref: 00209AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00209AEB
SendMessageW.USER32 ref: 00209B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00209B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00209B4A
GetCursorPos.USER32(?), ref: 00209B68
ScreenToClient.USER32(?,?), ref: 00209B75
GetParent.USER32(?), ref: 00209B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00209BFA
SendMessageW.USER32 ref: 00209C2B
ClientToScreen.USER32(?,?), ref: 00209C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00209CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00209CDE
SendMessageW.USER32 ref: 00209D01
ClientToScreen.USER32(?,?), ref: 00209D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00209D82

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

GetWindowLongW.USER32(?,000000F0), ref: 00209E05

Strings

F, xrefs: 00209D07
p#$, xrefs: 00209990
@GUI_DRAGID, xrefs: 0020997D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#$
API String ID: 3429851547-3607781724
Opcode ID: 1ffb44cd79d0a266fdca5b1fd415becf6ad0930b64df3f6545d11ad51b8b20cf
Instruction ID: 0529b5e668eb4740124277b69d7ff2a0c8e700d9d974f9675f860ca4ea6383c7
Opcode Fuzzy Hash: 1ffb44cd79d0a266fdca5b1fd415becf6ad0930b64df3f6545d11ad51b8b20cf
Instruction Fuzzy Hash: 80428075518301AFD724CF24DC48AAABBE9FF89310F144619F656872E3D77298A0CF51

Function 00204873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00204908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00204927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0020494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0020495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0020497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00204A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00204A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00204A7E
IsMenu.USER32(?), ref: 00204A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00204AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00204B20
GetWindowLongW.USER32(?,000000F0), ref: 00204B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00204BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00204C82
wsprintfW.USER32 ref: 00204CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00204CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00204CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00204D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00204D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00204D5A

Strings

%d/%02d/%02d, xrefs: 00204CA8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3ffbcddb220faedeba989961bb2d002f3e90402e8f660adc9c4c0dc8cc17d742
Instruction ID: 9c909f3bca514e0d6d7e2b6731f21919717b9c83c30c7d453abe95f01cf0b080
Opcode Fuzzy Hash: 3ffbcddb220faedeba989961bb2d002f3e90402e8f660adc9c4c0dc8cc17d742
Instruction Fuzzy Hash: 6D1214B1610305ABEB24AF24DC49FAE7BF8EF85710F108229F615DB2E2DB749951CB50

Function 0018F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0018F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001CF474
IsIconic.USER32(00000000), ref: 001CF47D
ShowWindow.USER32(00000000,00000009), ref: 001CF48A
SetForegroundWindow.USER32(00000000), ref: 001CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001CF4AA
GetCurrentThreadId.KERNEL32 ref: 001CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001CF4DE
SetForegroundWindow.USER32(00000000), ref: 001CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF4F6
keybd_event.USER32(00000012,00000000), ref: 001CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF50B
keybd_event.USER32(00000012,00000000), ref: 001CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF519
keybd_event.USER32(00000012,00000000), ref: 001CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF528
keybd_event.USER32(00000012,00000000), ref: 001CF52D
SetForegroundWindow.USER32(00000000), ref: 001CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001CF557

Strings

Shell_TrayWnd, xrefs: 001CF46F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 861a4d8ba2ae45b1a7380a1f96ab5db3e9d176a921d14ce3807029b6fcf572cb
Instruction ID: 419f40ed8d5973a696b422451baff768e24610e51e00418d3a83df1094f77578
Opcode Fuzzy Hash: 861a4d8ba2ae45b1a7380a1f96ab5db3e9d176a921d14ce3807029b6fcf572cb
Instruction Fuzzy Hash: F43153B1A40318BBEB246BB55C49FBF7E6DEB44B50F210129F600E61D2C7B19D01AA60

Function 001D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
Part of subcall function 001D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
Part of subcall function 001D16C3: GetLastError.KERNEL32 ref: 001D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001D12A8
CloseHandle.KERNEL32(?), ref: 001D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001D12D1
GetProcessWindowStation.USER32 ref: 001D12EA
SetProcessWindowStation.USER32(00000000), ref: 001D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001D1310

Part of subcall function 001D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D11FC), ref: 001D10D4
Part of subcall function 001D10BF: CloseHandle.KERNEL32(?,?,001D11FC), ref: 001D10E9

Strings

Z#, xrefs: 001D1392
winsta0, xrefs: 001D12CC
default, xrefs: 001D130B
, xrefs: 001D125A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z#
API String ID: 22674027-1370318574
Opcode ID: dd00702bd55d4613e4a06d235182dc020991b215ca55b452e8f3277e3342b008
Instruction ID: ae657e4d14fa90dbe357078e4cc44fdf3bfdd38f7a8de8e94857a122204e08b8
Opcode Fuzzy Hash: dd00702bd55d4613e4a06d235182dc020991b215ca55b452e8f3277e3342b008
Instruction Fuzzy Hash: 42818CB1900309BFDF219FA4DC49FEE7BB9EF08704F14422AF910A62A1D7758A55CB61

Function 001D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
Part of subcall function 001D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
Part of subcall function 001D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
Part of subcall function 001D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D0C00
GetLengthSid.ADVAPI32(?), ref: 001D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D0C6D
GetLengthSid.ADVAPI32(?), ref: 001D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001D0C8C
HeapAlloc.KERNEL32(00000000), ref: 001D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D0CB4
CopySid.ADVAPI32(00000000), ref: 001D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D45
HeapFree.KERNEL32(00000000), ref: 001D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D55
HeapFree.KERNEL32(00000000), ref: 001D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D65
HeapFree.KERNEL32(00000000), ref: 001D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001D0D78
HeapFree.KERNEL32(00000000), ref: 001D0D7F

Part of subcall function 001D1193: GetProcessHeap.KERNEL32(00000008,001D0BB1,?,00000000,?,001D0BB1,?), ref: 001D11A1
Part of subcall function 001D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001D0BB1,?), ref: 001D11A8
Part of subcall function 001D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001D0BB1,?), ref: 001D11B7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 15feddc8cce8dcb217f8623e2e01ee2bee5280442436eb7fe396f1a957a7ef16
Instruction ID: 1247d94bc3a7492e19d64d240f51e06fbf8f63ab521e1d2d635a7fd74af8159a
Opcode Fuzzy Hash: 15feddc8cce8dcb217f8623e2e01ee2bee5280442436eb7fe396f1a957a7ef16
Instruction Fuzzy Hash: C8716EB190020AAFDF11DFE4DC48FAEBBB9BF09310F144666F914A7291D775AA05CB60

Function 001EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0020CC08), ref: 001EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001EEB37
GetClipboardData.USER32(0000000D), ref: 001EEB43
CloseClipboard.USER32 ref: 001EEB4F
GlobalLock.KERNEL32(00000000), ref: 001EEB87
CloseClipboard.USER32 ref: 001EEB91
GlobalUnlock.KERNEL32(00000000), ref: 001EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001EEBC9
GetClipboardData.USER32(00000001), ref: 001EEBD1
GlobalLock.KERNEL32(00000000), ref: 001EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001EEC38
GetClipboardData.USER32(0000000F), ref: 001EEC44
GlobalLock.KERNEL32(00000000), ref: 001EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001EECD2
GlobalUnlock.KERNEL32(00000000), ref: 001EECF3
CountClipboardFormats.USER32 ref: 001EED14
CloseClipboard.USER32 ref: 001EED59

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 578bb9e47d25ad39bc55aac2197c52db43fcb04d2a389e4ffbad53466673d734
Instruction ID: cd82408e9e02c91bc9534c686cdda850ce858ca08da3780b756ed6cac57b449d
Opcode Fuzzy Hash: 578bb9e47d25ad39bc55aac2197c52db43fcb04d2a389e4ffbad53466673d734
Instruction Fuzzy Hash: 6461DF742047419FD310EF61E889F2EB7E8BF94714F248619F85A972A2DB31DD09CB62

Function 001E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E69BE
FindClose.KERNEL32(00000000), ref: 001E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001E6A75

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001E6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001E6B6A
%4d, xrefs: 001E6BB1
%03d, xrefs: 001E6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001E6B32
%02d, xrefs: 001E6C00, 001E6C0A, 001E6C5A, 001E6CAA, 001E6CFA, 001E6D4A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ff8d8229133c4f9d02aaf3bdb24f698202f3c76da23b4ddefaf5b20c67e5f78a
Instruction ID: a1f2cf111393342559e3662473fdaa0bf1b772a339f2689ecb2813c6afc00ebf
Opcode Fuzzy Hash: ff8d8229133c4f9d02aaf3bdb24f698202f3c76da23b4ddefaf5b20c67e5f78a
Instruction Fuzzy Hash: 6FD16FB1508340AEC710EBA4D885EAFB7FCAFA9704F44491DF589C7191EB34DA08CB62

Function 001E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001E9663
GetFileAttributesW.KERNEL32(?), ref: 001E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001E96D3
FindClose.KERNEL32(00000000), ref: 001E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001E974A
SetCurrentDirectoryW.KERNEL32(00236B7C), ref: 001E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E9772
FindClose.KERNEL32(00000000), ref: 001E977F
FindClose.KERNEL32(00000000), ref: 001E978F

Strings

*.*, xrefs: 001E96F5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 13eadbf9d0ae685bcb06023878b5553bef064c069a53bf35ea5f083c36f90eba
Instruction ID: 720e9b53d8f9279766b2e23f60d257c885a96eae468c3d8fe123c44aa20562eb
Opcode Fuzzy Hash: 13eadbf9d0ae685bcb06023878b5553bef064c069a53bf35ea5f083c36f90eba
Instruction Fuzzy Hash: C331D372900A597EDF24AFB5EC4DADE77ACAF09360F204166F905E2092DB30DD448F50

Function 001E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001E9819
FindClose.KERNEL32(00000000), ref: 001E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001E9890
SetCurrentDirectoryW.KERNEL32(00236B7C), ref: 001E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E98B8
FindClose.KERNEL32(00000000), ref: 001E98C5
FindClose.KERNEL32(00000000), ref: 001E98D5

Part of subcall function 001DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001DDB00

Strings

*.*, xrefs: 001E983B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 80e63f2f89b471ddf9fb1789ec0fe2d0e522e70ab6270a3e8e14e6278649905b
Instruction ID: ff11bb33f651f8549fe7c0e0c007506850fb0ffdae739c3686eca23a224c7653
Opcode Fuzzy Hash: 80e63f2f89b471ddf9fb1789ec0fe2d0e522e70ab6270a3e8e14e6278649905b
Instruction Fuzzy Hash: A131C371500A5D6EDF24AFB5EC48EDE77AC9F06324F248155E810A21E2DB30DD458F20

Function 001FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FC382
RegCloseKey.ADVAPI32(00000000), ref: 001FC38F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 313d0ab4a9bd47f14627caeee2275614d3af7876a58478e2c3fca5d61ffeab97
Instruction ID: cfb2a1804f8d13b80b04ba979368aee26e95cd947249bb563fcc3db590421e93
Opcode Fuzzy Hash: 313d0ab4a9bd47f14627caeee2275614d3af7876a58478e2c3fca5d61ffeab97
Instruction Fuzzy Hash: D1024A716042049FD714DF28C995E2ABBE5FF89308F18C49DF94A8B2A2DB31ED45CB91

Function 001E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8395

Strings

*.*, xrefs: 001E839B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4b9c59e7eabc69dbe6572342a4e185749ec5ca70b89e2bb850bc06d5dd1b713f
Instruction ID: 512ddbf79e59836a176e19c812639d74168c327744d4e53390daff422a73041b
Opcode Fuzzy Hash: 4b9c59e7eabc69dbe6572342a4e185749ec5ca70b89e2bb850bc06d5dd1b713f
Instruction Fuzzy Hash: FF61A9B25087459FCB10EF60D8809AFB3E8FF99314F04891EF98997251EB31E945CB92

Function 001DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

FindFirstFileW.KERNEL32(?,?), ref: 001DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001DD1DD
MoveFileW.KERNEL32(?,?), ref: 001DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001DD237

Part of subcall function 001DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001DD21C,?,?), ref: 001DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001DD253
FindClose.KERNEL32(00000000), ref: 001DD264

Strings

\*.*, xrefs: 001DD0CD, 001DD0D6, 001DD0EB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 81019e371a55803c528b5d6e53898d36458554a20b48997106ee745fde92c5d1
Instruction ID: 7f8ec2f1214c8bbb35a118f6ce48ec338ea6d129211c4e99668ee91f20d82c97
Opcode Fuzzy Hash: 81019e371a55803c528b5d6e53898d36458554a20b48997106ee745fde92c5d1
Instruction Fuzzy Hash: CB614C7180110DAECF05EBE0E992DEDB7B5AF65300F648166E40677292EB306F09DB61

Function 001EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001EED91
EmptyClipboard.USER32 ref: 001EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001EEDAC
CloseClipboard.USER32 ref: 001EEEA3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ac679c3827b35481849fc86b0a848c8e13f13a34dd28a1eaef4d6d0032b27dd6
Instruction ID: f6af1035dfb13e9262d9f40c7b394386080f58e79c15a20ffc96d1ba6c6a01ae
Opcode Fuzzy Hash: ac679c3827b35481849fc86b0a848c8e13f13a34dd28a1eaef4d6d0032b27dd6
Instruction Fuzzy Hash: 5C41BE75604A51AFE720DF16E888F19BBE5FF44318F24C199E4198B6A2C736ED41CB90

Function 001DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
Part of subcall function 001D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
Part of subcall function 001D16C3: GetLastError.KERNEL32 ref: 001D174A

ExitWindowsEx.USER32(?,00000000), ref: 001DE932

Strings

@, xrefs: 001DE925
, xrefs: 001DE920
, xrefs: 001DE95C
SeShutdownPrivilege, xrefs: 001DE902

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f50a098f38157a47e69db595211c8b11d3d697e269e4a517557c53d576270834
Instruction ID: fbc75e014461852924a37c7924883bafb89e4be7b69c19000ad53d4c3f3be352
Opcode Fuzzy Hash: f50a098f38157a47e69db595211c8b11d3d697e269e4a517557c53d576270834
Instruction Fuzzy Hash: 900126B2611311BBEB1C37B4AC9ABBF72ECA71474AF250923FC02E62D2D7A05C44C590

Function 001F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001F1276
WSAGetLastError.WSOCK32 ref: 001F1283
bind.WSOCK32(00000000,?,00000010), ref: 001F12BA
WSAGetLastError.WSOCK32 ref: 001F12C5
closesocket.WSOCK32(00000000), ref: 001F12F4
listen.WSOCK32(00000000,00000005), ref: 001F1303
WSAGetLastError.WSOCK32 ref: 001F130D
closesocket.WSOCK32(00000000), ref: 001F133C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 36e7df2d7aea1a9503b2912b6418bd43a3d4b3083d3a19bea162487274be6412
Instruction ID: 1619fe5d1ec2e05b78ba4a1b59acf50dbaf7c5e57b5284a4129c79a66695b5d2
Opcode Fuzzy Hash: 36e7df2d7aea1a9503b2912b6418bd43a3d4b3083d3a19bea162487274be6412
Instruction Fuzzy Hash: 87417D71600204EFD714DF68D488B29BBE5BF86318F288188E9568F296C771ED81CBA1

Function 001AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001AB9D4
_free.LIBCMT ref: 001AB9F8
_free.LIBCMT ref: 001ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00213700), ref: 001ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0024121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00241270,000000FF,?,0000003F,00000000,?), ref: 001ABC36
_free.LIBCMT ref: 001ABD4B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d3b8b2bfa05a6b41b283ef98056a9e4211c5a51af02a4090c03e32a6a6df2c17
Instruction ID: 1393672674bb33bf532542bc30edf443e92d72b5dddc75f5f84bf20fc9e47771
Opcode Fuzzy Hash: d3b8b2bfa05a6b41b283ef98056a9e4211c5a51af02a4090c03e32a6a6df2c17
Instruction Fuzzy Hash: 3BC1277D908294AFCB24DF789C85BAABBB8EF53320F14419AE895D7257E7308E41C750

Function 001DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

FindFirstFileW.KERNEL32(?,?), ref: 001DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001DD481
FindClose.KERNEL32(00000000), ref: 001DD498
FindClose.KERNEL32(00000000), ref: 001DD4A1

Strings

\*.*, xrefs: 001DD3F2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6a9c8fb54b639b036aa94a0ec625391c3654a835ed1b8187ca7ec5989a7802d3
Instruction ID: d796f98ce6aad748ba65ac09a880eb8da1bb9baedb8e1c0b47469213265cf483
Opcode Fuzzy Hash: 6a9c8fb54b639b036aa94a0ec625391c3654a835ed1b8187ca7ec5989a7802d3
Instruction Fuzzy Hash: D03163710183459FC304EF64E8568AF77F8BEA5314F548A1EF4D593292EB30AA09D763

Function 001AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001AE645

Strings

1#QNAN, xrefs: 001AF84B
1#SNAN, xrefs: 001AF844
1#IND, xrefs: 001AF83D
1#INF, xrefs: 001AF852

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0b9e2454891ed258bbf2f7c42da16e14b3cfbc73f4c4c21cbf89a2cf31d1ee2d
Instruction ID: d1409da03c85ddc52201667503c1025c07950277258ea7c97f63aea12b78517c
Opcode Fuzzy Hash: 0b9e2454891ed258bbf2f7c42da16e14b3cfbc73f4c4c21cbf89a2cf31d1ee2d
Instruction Fuzzy Hash: E5C24A75E046288FDB29CE68DD447EAB7F5EB4A304F1541EAD44DE7240E778AE828F40

Function 001E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E64DC
CoInitialize.OLE32(00000000), ref: 001E6639
CoCreateInstance.OLE32(0020FCF8,00000000,00000001,0020FB68,?), ref: 001E6650
CoUninitialize.OLE32 ref: 001E68D4

Strings

.lnk, xrefs: 001E64BA, 001E6524, 001E65E0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bc8c6bb4f36b2c486059a63e634eff895001e1fb5557cc4c00327b6b440bb60a
Instruction ID: 660445d7c4946be467787c12282406b36f126a389c619d5585d72e712d68fbe1
Opcode Fuzzy Hash: bc8c6bb4f36b2c486059a63e634eff895001e1fb5557cc4c00327b6b440bb60a
Instruction Fuzzy Hash: E4D14871608741AFC314DF24C881D6BB7E8FFA9744F50896DF5998B2A1DB30E909CB92

Function 001F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001F22E8

Part of subcall function 001EE4EC: GetWindowRect.USER32(?,?), ref: 001EE504

GetDesktopWindow.USER32 ref: 001F2312
GetWindowRect.USER32(00000000), ref: 001F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001F2355
GetCursorPos.USER32(?), ref: 001F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001F23DF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ac61c7b645230bd2d4a9ac1600c952cffa11b6d9d92e4382882cb600d6c22bc7
Instruction ID: e0847510ed302f5e545d6ebefdf795bc389aada9764a851874f6663a82a449c0
Opcode Fuzzy Hash: ac61c7b645230bd2d4a9ac1600c952cffa11b6d9d92e4382882cb600d6c22bc7
Instruction Fuzzy Hash: 0A31D2B25053199FC720DF54D849F6BBBE9FF88314F100A19F58597191D734E908CB91

Function 001E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001E9C8B

Part of subcall function 001E3874: GetInputState.USER32 ref: 001E38CB
Part of subcall function 001E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001E9C75

Strings

*.*, xrefs: 001E9B5D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 312d74f95a5b7746b0f32050f76884fbeef2bdaab01a6bf94daf7a142f994286
Instruction ID: 38463c1709dea22105306e892f7b8e077d7bef2d7408dc6fda68e6854b27f3b0
Opcode Fuzzy Hash: 312d74f95a5b7746b0f32050f76884fbeef2bdaab01a6bf94daf7a142f994286
Instruction Fuzzy Hash: 82419571900649AFCF15EF65D849AEEBBF8FF15310F248155E815A7191EB30AE84CF60

Function 0018997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00189A4E
GetSysColor.USER32(0000000F), ref: 00189B23
SetBkColor.GDI32(?,00000000), ref: 00189B36

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 295468a83ce460d0c7f39f2d52c230557d9e614a5f082ec43a00857b14c5be35
Instruction ID: ab97940599870e5fbb9c76c5ad9abda46e63a69231312b013ec5eb3075bd1d78
Opcode Fuzzy Hash: 295468a83ce460d0c7f39f2d52c230557d9e614a5f082ec43a00857b14c5be35
Instruction Fuzzy Hash: B1A1F670218614AEE72DBA289C8DE7B3A9DEB52340B19020DF502D7AD2CB65DF51CF71

Function 001F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
Part of subcall function 001F304E: _wcslen.LIBCMT ref: 001F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001F185D
WSAGetLastError.WSOCK32 ref: 001F1884
bind.WSOCK32(00000000,?,00000010), ref: 001F18DB
WSAGetLastError.WSOCK32 ref: 001F18E6
closesocket.WSOCK32(00000000), ref: 001F1915

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 44850098071a4d94b536491539df2979e708420ac572eae2f4c6b67c24da36a9
Instruction ID: c58e023eebfea8741906c0c6ada8462565c5ae92a40a9e35657366b8a538b342
Opcode Fuzzy Hash: 44850098071a4d94b536491539df2979e708420ac572eae2f4c6b67c24da36a9
Instruction Fuzzy Hash: 3E51A071A00204AFDB10AF24D88AF2A77A5AB58718F18C05CFA0A5F3D3D771AD418BA1

Function 00201C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00201CC0
IsWindowEnabled.USER32 ref: 00201CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00201CDB
IsIconic.USER32 ref: 00201CE9
IsZoomed.USER32 ref: 00201CF7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b2d2f9c4152fa272c1612bb69bacd496cc928964c882f6ee481d1008a6769b54
Instruction ID: f7b2d2611489036fc84b898a360d1368f23c5da56e47d55ab59d39654907f823
Opcode Fuzzy Hash: b2d2f9c4152fa272c1612bb69bacd496cc928964c882f6ee481d1008a6769b54
Instruction Fuzzy Hash: 0E2194717503115FE7208F2AD888B5A7BA5EF95314F198059E8468B293CB71DC62CB91

Function 00178060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0017813C
VUUU, xrefs: 001B5DF0
VUUU, xrefs: 0017843C
VUUU, xrefs: 001783FA
VUUU, xrefs: 001783E8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a740145dd90ee148036621ad9604bdb54a2d22fbbd0138c426b0d341d711418e
Instruction ID: b6a6a0654d0c6fd892d5d176e7826458d849212d5c990e485251e7670327447b
Opcode Fuzzy Hash: a740145dd90ee148036621ad9604bdb54a2d22fbbd0138c426b0d341d711418e
Instruction Fuzzy Hash: E2A29070E4061ACBDF28CF58C9847EDB7B2BF54314F2581AAE819A7285DB749D81CF90

Function 001D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001D82AA

Strings

(, xrefs: 001D82F0
|, xrefs: 001D82DA
tb#, xrefs: 001D84F4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb#$|
API String ID: 1659193697-4063146538
Opcode ID: 001ce657659ce83d65252b56e730430fca84b9a3c0e171ce1747f8ef4a9a63e0
Instruction ID: d333abec9ab771a237e1ac40acf217cb2e5a09c2bcfe0650ae697ec593117a4a
Opcode Fuzzy Hash: 001ce657659ce83d65252b56e730430fca84b9a3c0e171ce1747f8ef4a9a63e0
Instruction Fuzzy Hash: E1323575A007059FCB28DF59C481A6AB7F0FF48720B15C56EE49ADB3A1EB70E981CB50

Function 001DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001DAAAC
SetKeyboardState.USER32(00000080), ref: 001DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001DAB88

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a051d33736c31cf4f982e8eb3460c16d595dbe73958b521d3c6028df9eee8530
Instruction ID: 2710ed8b7fc1a7c3c4e9738a01b347e95f00f0d10a771e578383c5a56fd0b12a
Opcode Fuzzy Hash: a051d33736c31cf4f982e8eb3460c16d595dbe73958b521d3c6028df9eee8530
Instruction Fuzzy Hash: 3F313B70A40218AEFF35CB64CC05BFA7BAAAF45310F94431BF581563D1D3759982C762

Function 001ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001ECE89
GetLastError.KERNEL32(?,00000000), ref: 001ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001ECEFE

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0801bc3f579924fbed82d93803638af4822898165d40880eb77e6036b0cc3e75
Instruction ID: a7cccc574d2007d7a95de71ce91aaf656ff2dab315c595ccaef301bc4c60fb0c
Opcode Fuzzy Hash: 0801bc3f579924fbed82d93803638af4822898165d40880eb77e6036b0cc3e75
Instruction Fuzzy Hash: BD21BDB1500B05AFEB30DFA6DD49BAABBFCEB50314F20441EE54692151E770EE068BA0

Function 001E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001E5D17
FindClose.KERNEL32(?), ref: 001E5D5F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 86c5dcde0bbf3a314056ffd45e875bc78df2dfcf198b8d0af8f2921e5a544476
Instruction ID: 5df64cf7f052ead0014ebb10d8fb5b3f065482e54210d63fb8c8cdb1f76e7c42
Opcode Fuzzy Hash: 86c5dcde0bbf3a314056ffd45e875bc78df2dfcf198b8d0af8f2921e5a544476
Instruction Fuzzy Hash: 0951BC74600A419FC704CF68C894A9AB7F5FF0A318F14855DE95A8B3A2CB30ED04CF91

Function 001A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001A2731

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 69c125f5f395041df63452995e59e721fb71e075ad048e1b709fb3bdc288e95c
Instruction ID: 3bba920d33f9b2e2e9d1d2ea36499cd8fbf38574cd2209620231a5232c6f72ed
Opcode Fuzzy Hash: 69c125f5f395041df63452995e59e721fb71e075ad048e1b709fb3bdc288e95c
Instruction Fuzzy Hash: 6831B474911328ABCB21DF68DD89799B7B8AF18710F5042EAE81CA7261E7349F818F45

Function 001E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001E5238
SetErrorMode.KERNEL32(00000000), ref: 001E52A1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1b103bfc7fba6c5cbeb1cb4daa538e11a5453e6dd06ff9c88301d61ba516d1b3
Instruction ID: d90ba0f188d5145c5677732c03540c97866061e5ea8dbb03861a3f1a92b8263c
Opcode Fuzzy Hash: 1b103bfc7fba6c5cbeb1cb4daa538e11a5453e6dd06ff9c88301d61ba516d1b3
Instruction Fuzzy Hash: 76318175A00608DFDB00DF54D888EADBBB5FF09318F188099E9099B392CB31E845CBA0

Function 001D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0018FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00190668
Part of subcall function 0018FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00190685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
GetLastError.KERNEL32 ref: 001D174A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ca4f3d19a88dd3194a7b939e62ac20dd65596854ecca508c62b24aa05dd89098
Instruction ID: e0ba8e99ca6f10c298b1ceb24d6a65f9e1378d2f3dca5d7e3a403a591be76dcd
Opcode Fuzzy Hash: ca4f3d19a88dd3194a7b939e62ac20dd65596854ecca508c62b24aa05dd89098
Instruction Fuzzy Hash: A51191B2414304BFD718AF54ECC6D6AB7BDEB44714B20862EE45657251EB70FC418B20

Function 001DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001DD650

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1828a23776ee02760e6e183bed350395faef182c6aee41ed94964d727400e0a3
Instruction ID: 3f239377940b34ac48b0bc013a591c21e6fb846b2cc81e227bcce2eb761ceb56
Opcode Fuzzy Hash: 1828a23776ee02760e6e183bed350395faef182c6aee41ed94964d727400e0a3
Instruction Fuzzy Hash: 97113CB5E05228BFDB108F95AC49FAFBBBCEB45B50F108156F904E7290D6704A058BA1

Function 001D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001D16A1
FreeSid.ADVAPI32(?), ref: 001D16B1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d83e9eb5e14a4b9336a6e2f090e132a8925b98900fca68b92f77662e07da80cf
Instruction ID: 2572980ef7513f109be5a612d477265e422996799bf23811a392edfa149ea013
Opcode Fuzzy Hash: d83e9eb5e14a4b9336a6e2f090e132a8925b98900fca68b92f77662e07da80cf
Instruction Fuzzy Hash: A0F0F4B1950309FBEB00DFE49D89AAEBBBDFB08604F504565E501E2181E774AA448A50

Function 001AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001AC36C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5e16be7227409ec67ff79ff346c2d5ef8f8402c3eac63c4864d4caf20f5c673f
Instruction ID: f6d6be266dd1749029f74777c6b67c26dfdb4424f7c4e982a7bb534c1cb6508e
Opcode Fuzzy Hash: 5e16be7227409ec67ff79ff346c2d5ef8f8402c3eac63c4864d4caf20f5c673f
Instruction Fuzzy Hash: F141287A5002196FCB249FB9DC49EBB77B8EB85314F1042A9F915D7180E7709D41CB90

Function 001CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001CD28C

Strings

X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abc0bb06931ac67b1b04d354aaecaa538e37786e3b3847aad24a1a4b3569684e
Instruction ID: 91d0ab567b6d1da4930b1e7bdc6f3043f6627845a65a8edf36229a02da9a310c
Opcode Fuzzy Hash: abc0bb06931ac67b1b04d354aaecaa538e37786e3b3847aad24a1a4b3569684e
Instruction Fuzzy Hash: D1D0C9B480121DEACB98DB90EC88DDAB37CBB14305F100265F106A2040DB3096498F10

Function 0019CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 504e5e857a9639de00b2a428de091a7d1a1f70e9e20d8f18ab2c0fbe2a3da1db
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B6021C71E002199FDF14CFA9C8906AEFBF1EF98314F25816AD859E7384D731AA418BD4

Function 0017CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#$, xrefs: 0017CF7F
Variable is not of type 'Object'., xrefs: 001C0C40

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#$
API String ID: 0-1842369532
Opcode ID: 384c7dda80abc3d7e6a80db98f6be3edea31e61196bf6a9777c5f283c2e3353b
Instruction ID: 19ef3ae684d6df33e11bbc31a7bff92fa8ef5308413bbfee2a578ecbdc015b45
Opcode Fuzzy Hash: 384c7dda80abc3d7e6a80db98f6be3edea31e61196bf6a9777c5f283c2e3353b
Instruction Fuzzy Hash: 23328C74900218DBDF15DF94C885BEDB7B5BF29304F24806DE80AAB292DB35EE45CB91

Function 001E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E6918
FindClose.KERNEL32(00000000), ref: 001E6961

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 69497b0d31fe80b7fd72799957a43e4796a64a3410421d08fb6ca096e7b7eda6
Instruction ID: f9fb0d79f00548a73d42cfe4f5af663a14f6a746dd4d50b43733a5a6806bbd2c
Opcode Fuzzy Hash: 69497b0d31fe80b7fd72799957a43e4796a64a3410421d08fb6ca096e7b7eda6
Instruction Fuzzy Hash: 7D1190716046409FC710DF2AD488A1ABBE5FF95328F54C69DE8698F6A3C730EC05CB91

Function 001E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001F4891,?,?,00000035,?), ref: 001E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001F4891,?,?,00000035,?), ref: 001E37F4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8b960f46332759bd1dfb0358f8f2a56c7d1f4db9fbfbe541764e9e7bdf191675
Instruction ID: d915b7e251b0f6008f60383a866df51333feb0724fee6323c005318e9828bcf2
Opcode Fuzzy Hash: 8b960f46332759bd1dfb0358f8f2a56c7d1f4db9fbfbe541764e9e7bdf191675
Instruction Fuzzy Hash: 64F0E5B0A053282AEB2017679C4DFEB3AAEEFC4761F000269F509D3281DB609908C6B0

Function 001DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001DB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 001DB270

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c4241210bc182ab9181442cd1fdd583e366b72947e1e0ee91447766d81dcd312
Instruction ID: a5ca0805127ca21f9f1435678e0fe344d00894a8ce5214f5776751ad494a6ac4
Opcode Fuzzy Hash: c4241210bc182ab9181442cd1fdd583e366b72947e1e0ee91447766d81dcd312
Instruction Fuzzy Hash: FFF01D7580424DABDF059FA0D805BAE7FB4FF04305F10800AF955A51A2C3799611DF94

Function 001D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D11FC), ref: 001D10D4
CloseHandle.KERNEL32(?,?,001D11FC), ref: 001D10E9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6e076a8d83c54a60efcf18956bee1dfa36445527b0dc2c0e907ae0fd5b40ee53
Instruction ID: d235b015f7548c6a0613636effb57f3bef03d37fd80077f95728819d525cd6eb
Opcode Fuzzy Hash: 6e076a8d83c54a60efcf18956bee1dfa36445527b0dc2c0e907ae0fd5b40ee53
Instruction Fuzzy Hash: D0E0BF72018710FEE7253B51FC09E7777A9EB04311B24892EF5A5805B1DB626CA1DB50

Function 001A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001A6766,?,?,00000008,?,?,001AFEFE,00000000), ref: 001A6998

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 67f434ec1017b4203846a71b34737b9c45b49135f91755c562de744b8687cf65
Instruction ID: cd22ce66d7c1738302452e49c98c2d17c19162fda0726a9be5fdcd04a2767c09
Opcode Fuzzy Hash: 67f434ec1017b4203846a71b34737b9c45b49135f91755c562de744b8687cf65
Instruction Fuzzy Hash: 36B14D79610608DFD719CF28C48AB657BE0FF46364F298658E899CF2A2C339D991CB40

Function 0018B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001C851F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd6892bdddadb131a157e33898db15726e5b5cc8314181a9a94772f38d30c969
Instruction ID: c93ac1ed1c1772f9eaa63ff847f33f18966c5b47518e6687de6a1e304062c1b9
Opcode Fuzzy Hash: cd6892bdddadb131a157e33898db15726e5b5cc8314181a9a94772f38d30c969
Instruction Fuzzy Hash: A3125D719042299BCB24DF58C881BEEB7B5FF58710F1581AAE849EB255DB30DE81CF90

Function 001EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001EEABD

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 22a524ebd6c7cb24b15f41576d62a381bb79426de76c1b22e4dfe90e70891c00
Instruction ID: 5126d2ff89e08b1eda9ae01bcbc698441c22e268078fcbeeac963c4e05bf0c9c
Opcode Fuzzy Hash: 22a524ebd6c7cb24b15f41576d62a381bb79426de76c1b22e4dfe90e70891c00
Instruction Fuzzy Hash: 87E01A712002049FC710EF6AE844E9AB7E9AFA8760F00842AFC4AC7291DB70E8408B90

Function 001909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001903EE), ref: 001909DA

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b4f5202c4b3f0eaedc0ae4b7ee8d8f38c54a5718521a4e82c338ab570edca3cf
Instruction ID: e1e8d3a05afc8a210a1eb4169723e3b220964581ca3d346ffe9b0ce9b6d12a81
Opcode Fuzzy Hash: b4f5202c4b3f0eaedc0ae4b7ee8d8f38c54a5718521a4e82c338ab570edca3cf
Instruction Fuzzy Hash:

Function 0019781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0019798B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a3576c8e46caf9d6dff2a73960fd42a5c29c161c3fa10de2f75d4320474fe6da
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7251877163C7059BDF3C8578885EBBE6389DF22358F180909E886DB2C2CB15EE02D356

Function 001E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&$, xrefs: 001E2053

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: 0&$
API String ID: 0-620190583
Opcode ID: 016b2d10b011cb042c19fcac43a8d4ba062bb825db67858cd9381b814fc23446
Instruction ID: 69dee0a3a59bc5453db7d8d53dd94d0ae280ee04de09b4034c22fb92dbf305fb
Opcode Fuzzy Hash: 016b2d10b011cb042c19fcac43a8d4ba062bb825db67858cd9381b814fc23446
Instruction Fuzzy Hash: EF21BB326205158BD728CF7AD82367E73E9A754310F55862EF4A7C37D0DE75A904C780

Function 001A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc193aee10c55fc2ec7c12379c2cd69a54df9348c6ac58f367ac715a4e13c1a
Instruction ID: b2cca244a9f7c1ef70e00d05c2245787dd6e98be4167363512aabcb38d218aed
Opcode Fuzzy Hash: 4bc193aee10c55fc2ec7c12379c2cd69a54df9348c6ac58f367ac715a4e13c1a
Instruction Fuzzy Hash: F5324526D29F018DD7239634EC26336A689AFB73C5F15C737F81AB59A6EF29C5834100

Function 0018CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8675c4bf2d9779eca38c5640a96c55e099c76940b66f2f14b5f726cef2f8b1
Instruction ID: 5d8289f3812547257e892a1dba07cef46aa6ff05c65dba4d4b52b9fb9c6bcc30
Opcode Fuzzy Hash: be8675c4bf2d9779eca38c5640a96c55e099c76940b66f2f14b5f726cef2f8b1
Instruction Fuzzy Hash: D4320331A002558BCF28DE68C494FBDBBA1EB65314F29856ED44E8B691E330DE81DBD1

Function 00177920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862bf1fd9d6361f1e68342ecfe0e49a4768c0b68159efee5d0461033b6d423c9
Instruction ID: f163b8ba4477f0d9b3f9172ec9a60908abaf9f983ea2896f3ed61dfc4fb5d20b
Opcode Fuzzy Hash: 862bf1fd9d6361f1e68342ecfe0e49a4768c0b68159efee5d0461033b6d423c9
Instruction Fuzzy Hash: E822AF70A04609DFDF14DF64D881AEEB3F6FF58300F148529E81AA7291EB369E15CB50

Function 001791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02832197681b96694dd914e50002c312ee3c25af05f8eb2fedfe0d2f7c208004
Instruction ID: 79590f15d7c0c342640f598f9b7ee0b3b640d2e7e1092079d49839b9cc7c916e
Opcode Fuzzy Hash: 02832197681b96694dd914e50002c312ee3c25af05f8eb2fedfe0d2f7c208004
Instruction Fuzzy Hash: 490295B1A00205EBDF04DF64D981AEDBBF5FF54300F118169E81ADB291EB31AE55CB91

Function 001A9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d532323694a7f0aea764ab0259f4891de9b5cdb09a90ca5343a4fbf9d6752af9
Instruction ID: 234fb3270cc58684328df4f31172bf6a38e1b5599e086504191dd981ac68cb42
Opcode Fuzzy Hash: d532323694a7f0aea764ab0259f4891de9b5cdb09a90ca5343a4fbf9d6752af9
Instruction Fuzzy Hash: 05B1F120D2AF404DC22396399835336FA5DAFBB6D5F91D31BFC2674D22EF2286834180

Function 00191C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bc755886803c95924f0cfe1d9bfa76a469cd3ce37eaac98d7ec73a5d73191ab0
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 739186736090A35ADF2E467E857807EFFE15A923A131A079ED4F2CA1C5FF20D994D620

Function 00191F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e3a93c00f215c26d9ca876c28cd947d122bc141a751ed6719f25f3238e388cc4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 569156736090A359DF6D4239857443EFFE15A923A131E07ADE4F2CB1C5EF3495A8E620

Function 001919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a3e8f38f07f0a51d752eb15114a4ba03bde9787a01b4b1f206728bc66915cf93
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1C912F722090E35ADF2D467A857407EFFF15A923A231A079ED4F3CB1C5FF2499A49620

Function 00197A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f033a01c463947df0822e1a6a25571d2c0f55464bc0117b405b44a14bfc97e
Instruction ID: ffb72166f5ad4a79b563ce95f58acbf8b7486041652331f6b0ac515f07dbe29d
Opcode Fuzzy Hash: d1f033a01c463947df0822e1a6a25571d2c0f55464bc0117b405b44a14bfc97e
Instruction Fuzzy Hash: 37616B7173870A96DE3CAA2C8C95BBE2395EF52704F18091AE843DB2D1D715DE42C355

Function 00197CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7405ddb0fbe48fb6215ebf42dac2ebe6946c5185380d3071dad639c9b81105b4
Instruction ID: 89aed0d91b2abd27c64aaf14b52782eb1d1d9de1218c4d12f8c9dc67621f05d0
Opcode Fuzzy Hash: 7405ddb0fbe48fb6215ebf42dac2ebe6946c5185380d3071dad639c9b81105b4
Instruction Fuzzy Hash: 80618971738709A7DE3D5AA89892BBF23C8EF52744F140959E843DB2C1DB12ED428355

Function 00191706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: df36bde7c389126d06470f3f6d0fec8bf5a40a40b950c49301686a2aa7be3d17
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1E8195736080A31EEF6E427A853407EFFE15A923A531A079ED4F2CB1C1EF24D594E620

Function 001F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001F2B30
DeleteObject.GDI32(00000000), ref: 001F2B43
DestroyWindow.USER32 ref: 001F2B52
GetDesktopWindow.USER32 ref: 001F2B6D
GetWindowRect.USER32(00000000), ref: 001F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2CF8
GetClientRect.USER32(00000000,?), ref: 001F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D80
GlobalLock.KERNEL32(00000000), ref: 001F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D98
GlobalUnlock.KERNEL32(00000000), ref: 001F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2DA8
GlobalFree.KERNEL32(00000000), ref: 001F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0020FC38,00000000), ref: 001F2DDB
GlobalFree.KERNEL32(00000000), ref: 001F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F303F

Strings

DISPLAY, xrefs: 001F2EA2
AutoIt v3, xrefs: 001F2CF2
, xrefs: 001F2FC5
static, xrefs: 001F2D3A, 001F2E91

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 981608a1cb5158d365c908026022c5288c290bc54eb90c4fe8399dffa857d67b
Instruction ID: bfa16105802b24fb77ed215feace4a3af154d7ee09845ef465780952171e9c79
Opcode Fuzzy Hash: 981608a1cb5158d365c908026022c5288c290bc54eb90c4fe8399dffa857d67b
Instruction Fuzzy Hash: DA027EB5500208EFDB14DF64DC8DEAE7BB9EF49714F148258F919AB2A1CB70AD01CB60

Function 002070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0020712F
GetSysColorBrush.USER32(0000000F), ref: 00207160
GetSysColor.USER32(0000000F), ref: 0020716C
SetBkColor.GDI32(?,000000FF), ref: 00207186
SelectObject.GDI32(?,?), ref: 00207195
InflateRect.USER32(?,000000FF,000000FF), ref: 002071C0
GetSysColor.USER32(00000010), ref: 002071C8
CreateSolidBrush.GDI32(00000000), ref: 002071CF
FrameRect.USER32(?,?,00000000), ref: 002071DE
DeleteObject.GDI32(00000000), ref: 002071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00207230
FillRect.USER32(?,?,?), ref: 00207262
GetWindowLongW.USER32(?,000000F0), ref: 00207284

Part of subcall function 002073E8: GetSysColor.USER32(00000012), ref: 00207421
Part of subcall function 002073E8: SetTextColor.GDI32(?,?), ref: 00207425
Part of subcall function 002073E8: GetSysColorBrush.USER32(0000000F), ref: 0020743B
Part of subcall function 002073E8: GetSysColor.USER32(0000000F), ref: 00207446
Part of subcall function 002073E8: GetSysColor.USER32(00000011), ref: 00207463
Part of subcall function 002073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00207471
Part of subcall function 002073E8: SelectObject.GDI32(?,00000000), ref: 00207482
Part of subcall function 002073E8: SetBkColor.GDI32(?,00000000), ref: 0020748B
Part of subcall function 002073E8: SelectObject.GDI32(?,?), ref: 00207498
Part of subcall function 002073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002074B7
Part of subcall function 002073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002074CE
Part of subcall function 002073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002074DB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4218f5588df9e3bf8e9166f9c99e9548842abf29d6d08ab4b450f6b9d2ffdbd3
Instruction ID: 89962cd8c361a2d54825566dfb44482dfb502820aac482d698cab49b82a025c6
Opcode Fuzzy Hash: 4218f5588df9e3bf8e9166f9c99e9548842abf29d6d08ab4b450f6b9d2ffdbd3
Instruction Fuzzy Hash: 20A192B2418301AFD7119F60EC4CA5BBBA9FF49320F200B19F966A61E2D771E954CF51

Function 00188D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00188E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001C6F43

Part of subcall function 00188F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00188BE8,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188FC5

SendMessageW.USER32(?,00001053), ref: 001C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001C6FB7

Strings

0, xrefs: 001C6DCF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5350cc1339a6daf9504d490862f577175be884363f7cf325624f217ffecec019
Instruction ID: 3aa4e3a46d3ea729ba2d42d0d7294eb93e6b447c55ad4e6cf69f802c75345da7
Opcode Fuzzy Hash: 5350cc1339a6daf9504d490862f577175be884363f7cf325624f217ffecec019
Instruction Fuzzy Hash: 0C128B34204601DFDB25DF24D898FAABBE5FB69300F54456DE4858B262CB31EDA1CF91

Function 001F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001F2900
GetClientRect.USER32(00000000,?), ref: 001F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001F2964
GetStockObject.GDI32(00000011), ref: 001F2974
SelectObject.GDI32(00000000,00000000), ref: 001F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001F2991
DeleteDC.GDI32(00000000), ref: 001F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001F2A77
GetStockObject.GDI32(00000011), ref: 001F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001F2A97

Strings

DISPLAY, xrefs: 001F295A
AutoIt v3, xrefs: 001F28F8
msctls_progress32, xrefs: 001F2A13
static, xrefs: 001F294F, 001F2A71

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6646c668cfd53743b31e8aa1579a413623eb2cb75c57a9c9c7dbc6cff3cc868a
Instruction ID: 1191ff4987bf9128317488f8d61846c70d365abbe79cc569a337cf2b4a5da06d
Opcode Fuzzy Hash: 6646c668cfd53743b31e8aa1579a413623eb2cb75c57a9c9c7dbc6cff3cc868a
Instruction Fuzzy Hash: 3EB15EB5A40209AFDB14DFA4DC89FAE7BB9EB45710F108254FA15E72D1D770AD40CB50

Function 001E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E4AED
GetDriveTypeW.KERNEL32(?,0020CB68,?,\\.\,0020CC08), ref: 001E4BCA
SetErrorMode.KERNEL32(00000000,0020CB68,?,\\.\,0020CC08), ref: 001E4D36

Strings

RAMDisk, xrefs: 001E4BF4
MMC, xrefs: 001E4CDE
SSA, xrefs: 001E4CA6
FileBackedVirtual, xrefs: 001E4CEC
Fixed, xrefs: 001E4C09
1394, xrefs: 001E4C9F
CDROM, xrefs: 001E4BFB
Fibre, xrefs: 001E4CAD
USB, xrefs: 001E4CB4
PhysicalDrive, xrefs: 001E4B76
Removable, xrefs: 001E4C10, 001E4C15
Network, xrefs: 001E4C02
ATA, xrefs: 001E4C98
Unknown, xrefs: 001E4BED, 001E4C83
SAS, xrefs: 001E4CC9
SATA, xrefs: 001E4CD0
SSD, xrefs: 001E4C4A
ATAPI, xrefs: 001E4C91
SCSI, xrefs: 001E4C8A
RAID, xrefs: 001E4CBB
iSCSI, xrefs: 001E4CC2
Virtual, xrefs: 001E4CE5
\\.\, xrefs: 001E4B3F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 84ab3321391b969135d0312701f1e593b4c707dc1db7b19145d60e51b3a57d74
Instruction ID: 053d004aa07cfdaae71e93ac95d50e80e08e47a508467852743dec989a48961c
Opcode Fuzzy Hash: 84ab3321391b969135d0312701f1e593b4c707dc1db7b19145d60e51b3a57d74
Instruction Fuzzy Hash: 00611470711A49ABCB08DF26CA86D6C77F4BB15700F34C416F80AAB692DB31ED81DB51

Function 002073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00207421
SetTextColor.GDI32(?,?), ref: 00207425
GetSysColorBrush.USER32(0000000F), ref: 0020743B
GetSysColor.USER32(0000000F), ref: 00207446
CreateSolidBrush.GDI32(?), ref: 0020744B
GetSysColor.USER32(00000011), ref: 00207463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00207471
SelectObject.GDI32(?,00000000), ref: 00207482
SetBkColor.GDI32(?,00000000), ref: 0020748B
SelectObject.GDI32(?,?), ref: 00207498
InflateRect.USER32(?,000000FF,000000FF), ref: 002074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0020752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00207554
InflateRect.USER32(?,000000FD,000000FD), ref: 00207572
DrawFocusRect.USER32(?,?), ref: 0020757D
GetSysColor.USER32(00000011), ref: 0020758E
SetTextColor.GDI32(?,00000000), ref: 00207596
DrawTextW.USER32(?,002070F5,000000FF,?,00000000), ref: 002075A8
SelectObject.GDI32(?,?), ref: 002075BF
DeleteObject.GDI32(?), ref: 002075CA
SelectObject.GDI32(?,?), ref: 002075D0
DeleteObject.GDI32(?), ref: 002075D5
SetTextColor.GDI32(?,?), ref: 002075DB
SetBkColor.GDI32(?,?), ref: 002075E5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b5b4d677a47659f6e6476a68efaa8e33946e3552b8f28f59683350701193d246
Instruction ID: 3304611d6cf1739b05d7a967c56050834376c3323289f10eb518665b3fa4b53d
Opcode Fuzzy Hash: b5b4d677a47659f6e6476a68efaa8e33946e3552b8f28f59683350701193d246
Instruction Fuzzy Hash: 01616075D00219AFDB019FA4DC49ADEBF79EB09320F214215F915B72E2D771A950CF90

Function 00200FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00201128
GetDesktopWindow.USER32 ref: 0020113D
GetWindowRect.USER32(00000000), ref: 00201144
GetWindowLongW.USER32(?,000000F0), ref: 00201199
DestroyWindow.USER32(?), ref: 002011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0020121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00201232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00201245
IsWindowVisible.USER32(00000000), ref: 002012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002012D0
GetWindowRect.USER32(00000000,?), ref: 002012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0020130E
GetMonitorInfoW.USER32(00000000,?), ref: 00201328
CopyRect.USER32(?,?), ref: 0020133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002013AA

Strings

tooltips_class32, xrefs: 002011E6
(, xrefs: 0020131B
0, xrefs: 002010D3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2d86074b692c96d7041669fa710f1ca11d4de49cfd3dfde7bb684bf8102aab00
Instruction ID: a82ae5bbcd564136a77367d371cd3a3827071465e91dca79dfd92da98c6cddc2
Opcode Fuzzy Hash: 2d86074b692c96d7041669fa710f1ca11d4de49cfd3dfde7bb684bf8102aab00
Instruction Fuzzy Hash: 79B1AC71618341AFD714DF64D888B6EBBE4FF84714F00891CF9999B2A2C771E864CB91

Function 00200241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002002E5
_wcslen.LIBCMT ref: 0020031F
_wcslen.LIBCMT ref: 00200389
_wcslen.LIBCMT ref: 002003F1
_wcslen.LIBCMT ref: 00200475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00200504

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

Part of subcall function 001D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D2258
Part of subcall function 001D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D228A

Strings

GETSELECTED, xrefs: 002005E1
FINDITEM, xrefs: 00200627
SELECT, xrefs: 00200548
GETSUBITEMCOUNT, xrefs: 00200384, 0020039F
GETITEMCOUNT, xrefs: 00200316, 00200337
SELECTALL, xrefs: 00200515
GETTEXT, xrefs: 002003EC, 00200407
ISSELECTED, xrefs: 002004DD
SELECTINVERT, xrefs: 0020057E
GETSELECTEDCOUNT, xrefs: 00200470, 0020048B
SELECTCLEAR, xrefs: 0020052D
DESELECT, xrefs: 0020059C
VIEWCHANGE, xrefs: 00200675

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5f1acd1afb6ff00998ba17efb672539306724df3eeb183d5cec0b2b49f3249a8
Instruction ID: 49aa8416e1138e761c8a48e6d1fc4281f00b08956d9c211b944e27aa88a66701
Opcode Fuzzy Hash: 5f1acd1afb6ff00998ba17efb672539306724df3eeb183d5cec0b2b49f3249a8
Instruction Fuzzy Hash: 0BE1B2712283018FDB24DF24C490A2AB7E6BF98714F14895DF8969B3E2DB30ED55CB41

Function 00188891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00188968
GetSystemMetrics.USER32(00000007), ref: 00188970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0018899B
GetSystemMetrics.USER32(00000008), ref: 001889A3
GetSystemMetrics.USER32(00000004), ref: 001889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00188A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00188A3C
GetClientRect.USER32(00000000,000000FF), ref: 00188A5A
GetStockObject.GDI32(00000011), ref: 00188A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00188A81

Part of subcall function 0018912D: GetCursorPos.USER32(?), ref: 00189141
Part of subcall function 0018912D: ScreenToClient.USER32(00000000,?), ref: 0018915E
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000001), ref: 00189183
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000002), ref: 0018919D

SetTimer.USER32(00000000,00000000,00000028,001890FC), ref: 00188AA8

Strings

AutoIt v3 GUI, xrefs: 00188A20

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2f7af2d523242e1f0debd342eff4c42078ed6acbd781e99101ba49a1b653c278
Instruction ID: f86a3e6ee8d72b3f53f3e683bc17e6a46974fdc0624d05b7a828015bd468a82b
Opcode Fuzzy Hash: 2f7af2d523242e1f0debd342eff4c42078ed6acbd781e99101ba49a1b653c278
Instruction Fuzzy Hash: 81B17A75A00209AFDB14EFA8DC89FAE3BB5FB48314F114229FA15A7290DB34E951CF51

Function 001D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
Part of subcall function 001D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
Part of subcall function 001D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
Part of subcall function 001D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D0E29
GetLengthSid.ADVAPI32(?), ref: 001D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D0E96
GetLengthSid.ADVAPI32(?), ref: 001D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001D0EB5
HeapAlloc.KERNEL32(00000000), ref: 001D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D0EDD
CopySid.ADVAPI32(00000000), ref: 001D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F6E
HeapFree.KERNEL32(00000000), ref: 001D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F7E
HeapFree.KERNEL32(00000000), ref: 001D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F8E
HeapFree.KERNEL32(00000000), ref: 001D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001D0FA1
HeapFree.KERNEL32(00000000), ref: 001D0FA8

Part of subcall function 001D1193: GetProcessHeap.KERNEL32(00000008,001D0BB1,?,00000000,?,001D0BB1,?), ref: 001D11A1
Part of subcall function 001D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001D0BB1,?), ref: 001D11A8
Part of subcall function 001D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001D0BB1,?), ref: 001D11B7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cf9a55061ce3da276b32d888fd3a98a3a54eb37088eca799d2e1c93b2a1a0749
Instruction ID: d98b5e0f1c84ca67b15477de16c76ff31dd68b6601140a58eca0b923ca98edc6
Opcode Fuzzy Hash: cf9a55061ce3da276b32d888fd3a98a3a54eb37088eca799d2e1c93b2a1a0749
Instruction Fuzzy Hash: 417152B2900309ABDF119FA5DC48FEEBBB9BF08310F244216F959E6291D7719905CB60

Function 001FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0020CC08,00000000,?,00000000,?,?), ref: 001FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001FC5A4
_wcslen.LIBCMT ref: 001FC5F4
_wcslen.LIBCMT ref: 001FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001FC84D
RegCloseKey.ADVAPI32(?), ref: 001FC881
RegCloseKey.ADVAPI32(00000000), ref: 001FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001FC960

Strings

REG_QWORD, xrefs: 001FC8C3
REG_EXPAND_SZ, xrefs: 001FC5CD
REG_DWORD, xrefs: 001FC804
REG_SZ, xrefs: 001FC644
REG_MULTI_SZ, xrefs: 001FC6F5
REG_BINARY, xrefs: 001FC913

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9da74bd8da41ba535d9f6d10c118af40335962e5996d4bd4c4808a29fbf1bdf6
Instruction ID: 07c11a74c4354f5511c3fd94fe4f06f5e33c68999ed519855e07149efafcf572
Opcode Fuzzy Hash: 9da74bd8da41ba535d9f6d10c118af40335962e5996d4bd4c4808a29fbf1bdf6
Instruction Fuzzy Hash: 651266756042059FDB14DF24C981A2AB7F5FF88724F14889CF98A9B3A2DB31ED41DB81

Function 0020091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002009C6
_wcslen.LIBCMT ref: 00200A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00200A54
_wcslen.LIBCMT ref: 00200A8A
_wcslen.LIBCMT ref: 00200B06
_wcslen.LIBCMT ref: 00200B81

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

Part of subcall function 001D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D2BFA

Strings

GETITEMCOUNT, xrefs: 00200C1E
ISCHECKED, xrefs: 00200CE1
GETSELECTED, xrefs: 00200C4E
CHECK, xrefs: 00200A85, 00200AA0
GETTEXT, xrefs: 00200C97
EXPAND, xrefs: 00200BF8
GETTOTALCOUNT, xrefs: 002009F2, 00200A17
UNCHECK, xrefs: 00200D3E
EXISTS, xrefs: 00200B7C, 00200B97
SELECT, xrefs: 00200D11
COLLAPSE, xrefs: 00200B01, 00200B1C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: fbfa3ea3fcf24dbd32d571e522ca0181f4275529a47d43aa4798934e6a38a4a8
Instruction ID: 6dc2aef6f94898f15f3a515451bb48e6344229bb56d5fa3c7d63f7fb39ed8eb3
Opcode Fuzzy Hash: fbfa3ea3fcf24dbd32d571e522ca0181f4275529a47d43aa4798934e6a38a4a8
Instruction Fuzzy Hash: BEE1A0712283029FDB14DF24C490A2AB7E1FFA9318F14895DF8995B3A2D730ED55CB91

Function 001FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
_wcslen.LIBCMT ref: 001FC9F1
_wcslen.LIBCMT ref: 001FCA68
_wcslen.LIBCMT ref: 001FCA9E
_wcslen.LIBCMT ref: 001FCAF9
_wcslen.LIBCMT ref: 001FCB2F
_wcslen.LIBCMT ref: 001FCB7F

Strings

HKEY_CURRENT_USER, xrefs: 001FCBBD
HKCR, xrefs: 001FCB29, 001FCB2E
HKCC, xrefs: 001FCBAC
HKCU, xrefs: 001FCBCE
HKEY_USERS, xrefs: 001FCBDF
HKEY_CLASSES_ROOT, xrefs: 001FCAF3, 001FCAF8
HKLM, xrefs: 001FCA98, 001FCA9D
HKEY_CURRENT_CONFIG, xrefs: 001FCB79, 001FCB7E
HKU, xrefs: 001FCBF0
HKEY_LOCAL_MACHINE, xrefs: 001FCA62, 001FCA67

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1617f3806bac2b084dd986646bf7f8779653fb7034221d2bd15e25a1981ff67a
Instruction ID: e6be702c51fe5bb879c417fce4145109dc76143c0a849f9ba706896b8e34a6f6
Opcode Fuzzy Hash: 1617f3806bac2b084dd986646bf7f8779653fb7034221d2bd15e25a1981ff67a
Instruction Fuzzy Hash: E9710372A1012E8BCF20DE7CCA515BA33A1AFB0794F250528FA5697284FB31DD55E7E0

Function 0020833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020835A
_wcslen.LIBCMT ref: 0020836E
_wcslen.LIBCMT ref: 00208391
_wcslen.LIBCMT ref: 002083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00205BF2), ref: 0020844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208501
FreeLibrary.KERNEL32(?), ref: 0020850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0020851D
DestroyIcon.USER32(?,?,?,?,?,00205BF2), ref: 0020852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00208549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00208555

Strings

.exe, xrefs: 00208388
.dll, xrefs: 002083AB
.icl, xrefs: 00208368

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 218d1eda0e3ced2bb82a8fd67c9ef3dc255d6fa9e7e42b5ca4c375ba63bb94e2
Instruction ID: 53c9b1aff8b7edf152bcff56e47276be3f140cf22a67325d48592bd47126e3e1
Opcode Fuzzy Hash: 218d1eda0e3ced2bb82a8fd67c9ef3dc255d6fa9e7e42b5ca4c375ba63bb94e2
Instruction Fuzzy Hash: BD61E3B1510316BBEB14CF64DC85FBF7BA8BB08721F104609F855D61D2DB749960C7A0

Function 00177778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00177817
Unterminated group of comments, xrefs: 001B528C
#comments-start, xrefs: 0017785F, 001778B1
#pragma compile, xrefs: 001777D3
Bad directive syntax error, xrefs: 001B519A
#comments-end, xrefs: 001778D9
#cs, xrefs: 00177873, 001778C5
', xrefs: 001B5169
", xrefs: 001B5153
#notrayicon, xrefs: 001777E7
#requireadmin, xrefs: 001777FF
#include, xrefs: 00177847
#include-once, xrefs: 0017782F
#ce, xrefs: 001778ED
Cannot parse #include, xrefs: 001B5279

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0251f72dff02b4e0aa3e957551ba6db97d1f44782c668c015ac526c21d177b4b
Instruction ID: b124a54e450d9a21daec3d92a1a3d9cc86c3d38b79fa9c9ab99acd8b9f11adf0
Opcode Fuzzy Hash: 0251f72dff02b4e0aa3e957551ba6db97d1f44782c668c015ac526c21d177b4b
Instruction Fuzzy Hash: 6A810771644205BBDB25BF64DC86FEE37B9AF25300F058025F908AB1D6EB70DA21C7A1

Function 001E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001E3EF8
_wcslen.LIBCMT ref: 001E3F03
_wcslen.LIBCMT ref: 001E3F5A
_wcslen.LIBCMT ref: 001E3F98
GetDriveTypeW.KERNEL32(?), ref: 001E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E4087

Strings

close, xrefs: 001E3EFE, 001E3F18
open, xrefs: 001E3F54, 001E3F59
open , xrefs: 001E3FE5
type cdaudio alias cd wait, xrefs: 001E4001
closed, xrefs: 001E3F08, 001E3F2D, 001E3F46, 001E3F7E, 001E3F97
set cd door , xrefs: 001E4028
wait, xrefs: 001E4044
close cd wait, xrefs: 001E4072

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3e401d9974bdb9328493852d5c1f3e3745a71832cff1ba5c67206b9cd84fc7bb
Instruction ID: 01c1f988354c64650cf2d996817f1eb0cddba9fe0deccd27afa9e5e590a47f80
Opcode Fuzzy Hash: 3e401d9974bdb9328493852d5c1f3e3745a71832cff1ba5c67206b9cd84fc7bb
Instruction Fuzzy Hash: E871D2716047019FC710EF25C8858AEB7F4EFA5758F10892DF8A997291EB30DE45CB92

Function 001D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001D5A40
SetWindowTextW.USER32(?,?), ref: 001D5A57
GetDlgItem.USER32(?,000003EA), ref: 001D5A6C
SetWindowTextW.USER32(00000000,?), ref: 001D5A72
GetDlgItem.USER32(?,000003E9), ref: 001D5A82
SetWindowTextW.USER32(00000000,?), ref: 001D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001D5AC3
GetWindowRect.USER32(?,?), ref: 001D5ACC
_wcslen.LIBCMT ref: 001D5B33
SetWindowTextW.USER32(?,?), ref: 001D5B6F
GetDesktopWindow.USER32 ref: 001D5B75
GetWindowRect.USER32(00000000), ref: 001D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001D5BD3
GetClientRect.USER32(?,?), ref: 001D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001D5C2F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8306dc8023631e4b62db64558a4ceab0a972e2ef5eaec2fde1e360ca9462d483
Instruction ID: 2530e3b8ff7257908e4e44957c06e9212e76861fce559f83fca0ebe3f99a3320
Opcode Fuzzy Hash: 8306dc8023631e4b62db64558a4ceab0a972e2ef5eaec2fde1e360ca9462d483
Instruction Fuzzy Hash: 07717071900B05AFDB20DFA8CD89A6EBBF6FF48704F10461AE542A36A0D775E944CF50

Function 001EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001EFECC
GetCursorInfo.USER32(?), ref: 001EFEDC
GetLastError.KERNEL32 ref: 001EFF1E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4430469c3a54c2d73bfa1f3ee4c02a7abddf80a9a4111cf13594650d550ca0c5
Instruction ID: d3dfa9bdfaa6c0d2bc9cb9edfc06047c52a6ee11ce948a359d333536fb33d68c
Opcode Fuzzy Hash: 4430469c3a54c2d73bfa1f3ee4c02a7abddf80a9a4111cf13594650d550ca0c5
Instruction Fuzzy Hash: 964163B0D043596ADB10DFBA8C8985EBFE8FF04354B50852AF51DE7281DB78A901CF91

Function 001D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D318D
_wcslen.LIBCMT ref: 001D31F8

Strings

CLASSNN, xrefs: 001D31F3, 001D3204
NAME, xrefs: 001D3335, 001D3346
[#, xrefs: 001D339A
REGEXPCLASS, xrefs: 001D3255, 001D3266
TEXT, xrefs: 001D347C
CLASS, xrefs: 001D3188, 001D31A5
INSTANCE, xrefs: 001D3453

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[#
API String ID: 176396367-1113138700
Opcode ID: c34313f7100e51334c088d307ebb0a1cf41db58df3beaa4d5645da5a673ce918
Instruction ID: 14594ad171634bac0a2ad408659d5154bf6d0fb994fbf17ef5ba409f180d0903
Opcode Fuzzy Hash: c34313f7100e51334c088d307ebb0a1cf41db58df3beaa4d5645da5a673ce918
Instruction Fuzzy Hash: 89E1E532A00526ABCF189F68C451AEEFBB1BF54754F54811BE46AB7340DB30AF85C7A1

Function 001900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001900C6

Part of subcall function 001900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0024070C,00000FA0,5FB293D2,?,?,?,?,001B23B3,000000FF), ref: 0019011C
Part of subcall function 001900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001B23B3,000000FF), ref: 00190127
Part of subcall function 001900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001B23B3,000000FF), ref: 00190138
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0019014E
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0019015C
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0019016A
Part of subcall function 001900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00190195
Part of subcall function 001900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001901A0

___scrt_fastfail.LIBCMT ref: 001900E7

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

Strings

InitializeConditionVariable, xrefs: 00190148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00190122
SleepConditionVariableCS, xrefs: 00190154
WakeAllConditionVariable, xrefs: 00190162
kernel32.dll, xrefs: 00190133

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 0733623a119dadf0513f1e9eb5296fd16f16b4d0fca94859c3bc51d67999b0d7
Instruction ID: 60d9fbf97eccc6969093a6ddd2a5b53722f56feed8766592f251a618a71494cb
Opcode Fuzzy Hash: 0733623a119dadf0513f1e9eb5296fd16f16b4d0fca94859c3bc51d67999b0d7
Instruction Fuzzy Hash: BF213E72A54710AFDB226BA4BC4DB6973D4DB0DF51F100239F901E76D2DB709C408A51

Function 001E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0020CC08), ref: 001E4527
_wcslen.LIBCMT ref: 001E453B
_wcslen.LIBCMT ref: 001E4599
_wcslen.LIBCMT ref: 001E45F4
_wcslen.LIBCMT ref: 001E463F
_wcslen.LIBCMT ref: 001E46A7

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

GetDriveTypeW.KERNEL32(?,00236BF0,00000061), ref: 001E4743

Strings

all, xrefs: 001E4531, 001E4536
cdrom, xrefs: 001E458F, 001E4594
network, xrefs: 001E469D, 001E46A2
removable, xrefs: 001E45EA, 001E45EF
fixed, xrefs: 001E4635, 001E463A
unknown, xrefs: 001E4708
ramdisk, xrefs: 001E46F1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f3ff3ef752b3528163977f9b571835597ba936c65f3f373d7ef523258af1de0e
Instruction ID: ae529b0940987a3cf4f7ce39e7a20e1bf324749d358ef32d83b9e2f71a4435ef
Opcode Fuzzy Hash: f3ff3ef752b3528163977f9b571835597ba936c65f3f373d7ef523258af1de0e
Instruction Fuzzy Hash: 9AB134716087429FC714DF2AC890A6EB7F5BFA9724F50891DF09AC7291D730D845CB92

Function 0020911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DragQueryPoint.SHELL32(?,?), ref: 00209147

Part of subcall function 00207674: ClientToScreen.USER32(?,?), ref: 0020769A
Part of subcall function 00207674: GetWindowRect.USER32(?,?), ref: 00207710
Part of subcall function 00207674: PtInRect.USER32(?,?,00208B89), ref: 00207720

SendMessageW.USER32(?,000000B0,?,?), ref: 002091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00209225
SendMessageW.USER32(?,000000B0,?,?), ref: 0020923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00209255
SendMessageW.USER32(?,000000B1,?,?), ref: 00209277
DragFinish.SHELL32(?), ref: 0020927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00209371

Strings

@GUI_DRAGFILE, xrefs: 00209320
p#$, xrefs: 002092BB
@GUI_DROPID, xrefs: 0020929E
@GUI_DRAGID, xrefs: 002092E9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#$
API String ID: 221274066-1279969420
Opcode ID: 766dcad47a0711eae71d88bfc7aa16c3fe295f0a58e9c6021aa26701289b7db7
Instruction ID: 6bd1daa5d5ba01d40178f1c87199e91668063b067bc2425998f5b857e4c121c6
Opcode Fuzzy Hash: 766dcad47a0711eae71d88bfc7aa16c3fe295f0a58e9c6021aa26701289b7db7
Instruction Fuzzy Hash: 00617771108301AFC705DF64DC89DAFBBF8EF99350F104A1EF596921A2DB309A59CB52

Function 0017326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00241990), ref: 001B2F8D
GetMenuItemCount.USER32(00241990), ref: 001B303D
GetCursorPos.USER32(?), ref: 001B3081
SetForegroundWindow.USER32(00000000), ref: 001B308A
TrackPopupMenuEx.USER32(00241990,00000000,?,00000000,00000000,00000000), ref: 001B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001B30A9

Strings

0, xrefs: 0017327D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 1d712302edf2dd04f3501b45fe5eca9ab3a47c57e96692bf48a4a976a6391497
Instruction ID: 6b87840e28e4c98299a7e2a06b4234d82ff2fb6a069c38b6becd0758ac99fc63
Opcode Fuzzy Hash: 1d712302edf2dd04f3501b45fe5eca9ab3a47c57e96692bf48a4a976a6391497
Instruction Fuzzy Hash: FD7148B0644205BEEB259F64DC89FEABF78FF05324F204206F5296A1E1C7B1AD14DB90

Function 00206CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00206DEB

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00206E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00206E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00206E94
DestroyWindow.USER32(?), ref: 00206EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00170000,00000000), ref: 00206EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00206EFD
GetDesktopWindow.USER32 ref: 00206F16
GetWindowRect.USER32(00000000), ref: 00206F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00206F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00206F4D

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

Strings

tooltips_class32, xrefs: 00206E58, 00206EDD
0, xrefs: 00206D98

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1122e8255a66741ac9ea9cef50b0aaab9c35edf4a35d2f80059e64fc7e88ac6d
Instruction ID: 37804c0d61131fc0bb4588dfe095b41f96d3211b976205446eae17ee0c843520
Opcode Fuzzy Hash: 1122e8255a66741ac9ea9cef50b0aaab9c35edf4a35d2f80059e64fc7e88ac6d
Instruction Fuzzy Hash: 05717BB4114346AFDB25CF18EC4CE6ABBF9FB89304F14051DF989872A2C771A966CB11

Function 001EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001EC5F0
InternetCloseHandle.WININET(00000000), ref: 001EC5FB

Strings

, xrefs: 001EC575

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99edcf8d58d8a9b71e50cd0aeacd4f03923f1188b146adeabf18aa9f90fd8821
Instruction ID: 520daa482982edcc5e59c421c3795bf62dd259c21615a83079326436f9c61567
Opcode Fuzzy Hash: 99edcf8d58d8a9b71e50cd0aeacd4f03923f1188b146adeabf18aa9f90fd8821
Instruction Fuzzy Hash: 0C517FB0600B45BFDB219F61DD88AAF7BFCFF48344F10451AF94696251D730E9459BA0

Function 0020856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00208592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085BA
GlobalLock.KERNEL32(00000000), ref: 002085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085D7
GlobalUnlock.KERNEL32(00000000), ref: 002085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0020FC38,?), ref: 00208611
GlobalFree.KERNEL32(00000000), ref: 00208621
GetObjectW.GDI32(?,00000018,?), ref: 00208641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00208671
DeleteObject.GDI32(?), ref: 00208699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002086AF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f25a1352de8e49c07eb30d5cef5daa48c01169dfe795402152b9040b42d3f61b
Instruction ID: 8d330a260736433ad7ef4d59e5dc3a0f18161e2198ec16a41352af9199a5f428
Opcode Fuzzy Hash: f25a1352de8e49c07eb30d5cef5daa48c01169dfe795402152b9040b42d3f61b
Instruction Fuzzy Hash: 22413CB1600305AFDB119F65DC8CEAB7BBCEF89711F118158F905E7292DB719901CB20

Function 001E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001E1502
VariantCopy.OLEAUT32(?,?), ref: 001E150B
VariantClear.OLEAUT32(?), ref: 001E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001E1657
VariantInit.OLEAUT32(?), ref: 001E1708
SysFreeString.OLEAUT32(?), ref: 001E178C
VariantClear.OLEAUT32(?), ref: 001E17D8
VariantClear.OLEAUT32(?), ref: 001E17E7
VariantInit.OLEAUT32(00000000), ref: 001E1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001E1625
Default, xrefs: 001E16AF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9be087f0c67872b6233121b3421cfa1b67f92c98ddc1a7c9369f5d8d664e2375
Instruction ID: 23efb0bdb34255384f5ce9ae95e62313c5eca87919c916ebad1283519ef14f8f
Opcode Fuzzy Hash: 9be087f0c67872b6233121b3421cfa1b67f92c98ddc1a7c9369f5d8d664e2375
Instruction Fuzzy Hash: 26D14671A00A45FBDB04EF66E888BBDB7B5BF46700F21815AF806AB185DB30DD41DB61

Function 001FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001FB80A
RegCloseKey.ADVAPI32(?), ref: 001FB87E
RegCloseKey.ADVAPI32(?), ref: 001FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001FB922
FreeLibrary.KERNEL32(00000000), ref: 001FB983
RegCloseKey.ADVAPI32(00000000), ref: 001FB994

Strings

RegDeleteKeyExW, xrefs: 001FB8FE
advapi32.dll, xrefs: 001FB8ED

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2da50dff0b7ab9aacea2b366649190a5403e13d3bbb6c9b978e3da027d09e9ed
Instruction ID: d6009258be8aa9537e2f1131dc369fc6b13fe8c5f81ae2a0de2d9130a6e702fb
Opcode Fuzzy Hash: 2da50dff0b7ab9aacea2b366649190a5403e13d3bbb6c9b978e3da027d09e9ed
Instruction Fuzzy Hash: CEC18A70208205EFD714DF24C4D5F2ABBE5BF94318F24859CE69A8B2A2CB71ED45CB91

Function 001F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001F25E8
CreateCompatibleDC.GDI32(?), ref: 001F25F4
SelectObject.GDI32(00000000,?), ref: 001F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001F26D0
SelectObject.GDI32(?,?), ref: 001F26D8
DeleteObject.GDI32(?), ref: 001F26E1
DeleteDC.GDI32(?), ref: 001F26E8
ReleaseDC.USER32(00000000,?), ref: 001F26F3

Strings

(, xrefs: 001F268D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: db1c5cea79d5471537f75a73ab78ca12011ea22de88325115c13bea42996225f
Instruction ID: 3077275edcc6f2d816bf1790d37ebe94de3d4d588d850b685773e9b1129f0c85
Opcode Fuzzy Hash: db1c5cea79d5471537f75a73ab78ca12011ea22de88325115c13bea42996225f
Instruction Fuzzy Hash: 1D61F2B5D00219EFCF04CFA4D888AAEBBF6FF58310F208529EA59A7251D774A951CF50

Function 001ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001ADAA1

Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD659
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD66B
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD67D
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD68F
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6A1
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6B3
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6C5
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6D7
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6E9
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6FB
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD70D
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD71F
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD731

_free.LIBCMT ref: 001ADA96

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001ADAB8
_free.LIBCMT ref: 001ADACD
_free.LIBCMT ref: 001ADAD8
_free.LIBCMT ref: 001ADAFA
_free.LIBCMT ref: 001ADB0D
_free.LIBCMT ref: 001ADB1B
_free.LIBCMT ref: 001ADB26
_free.LIBCMT ref: 001ADB5E
_free.LIBCMT ref: 001ADB65
_free.LIBCMT ref: 001ADB82
_free.LIBCMT ref: 001ADB9A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fa17c048496914e46a4575432aec4c7dddc6f3d648fc821bf7dc22354578b0a3
Instruction ID: eb38881f6a0c756b0127b0ee45300db4a60bbaf7e211e5e6a0d3ece67f85d651
Opcode Fuzzy Hash: fa17c048496914e46a4575432aec4c7dddc6f3d648fc821bf7dc22354578b0a3
Instruction Fuzzy Hash: 26316B39604B049FEB62AA38E845B6B77E8FF23714F114419E48AD7591DF30AC408721

Function 001D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001D369C
_wcslen.LIBCMT ref: 001D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001D3797
GetClassNameW.USER32(?,?,00000400), ref: 001D380C
GetDlgCtrlID.USER32(?), ref: 001D385D
GetWindowRect.USER32(?,?), ref: 001D3882
GetParent.USER32(?), ref: 001D38A0
ScreenToClient.USER32(00000000), ref: 001D38A7
GetClassNameW.USER32(?,?,00000100), ref: 001D3921
GetWindowTextW.USER32(?,?,00000400), ref: 001D395D

Strings

%s%u, xrefs: 001D3734

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 410d268e2dca5e48b145c7fbe0cb50f2f9a78d4b4e77a239a43be852e8b8bdea
Instruction ID: 13d102a691d7c65ef50f3d318437d545e4895e509b44b26c2123e2b009d09a9f
Opcode Fuzzy Hash: 410d268e2dca5e48b145c7fbe0cb50f2f9a78d4b4e77a239a43be852e8b8bdea
Instruction Fuzzy Hash: FE91EA71204706AFD719DF24C895FEAF7A8FF44354F00462AF9A9D2291DB30EA45CB92

Function 001D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001D4994
GetWindowTextW.USER32(?,?,00000400), ref: 001D49DA
_wcslen.LIBCMT ref: 001D49EB
CharUpperBuffW.USER32(?,00000000), ref: 001D49F7
_wcsstr.LIBVCRUNTIME ref: 001D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001D4B20
GetWindowRect.USER32(?,?), ref: 001D4B8B

Strings

ThumbnailClass, xrefs: 001D4A6F, 001D4AF1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ed1b196a8a7830d9230ed64bcd80e7648eb0094f86b744fd1be6cdb4f0aa6139
Instruction ID: a9c6f5d7ae90a33bd562008c5dae2cad59a755cdc861bb4540f5fc5f144c48e3
Opcode Fuzzy Hash: ed1b196a8a7830d9230ed64bcd80e7648eb0094f86b744fd1be6cdb4f0aa6139
Instruction Fuzzy Hash: 2E91BC710083059FDB14CF14C985BAA77E8FF94354F04856BFD8A9A296DB30ED45CBA1

Function 00208D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00208D5A
GetFocus.USER32 ref: 00208D6A
GetDlgCtrlID.USER32(00000000), ref: 00208D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00208E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00208ECF
GetMenuItemCount.USER32(?), ref: 00208EEC
GetMenuItemID.USER32(?,00000000), ref: 00208EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00208F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00208F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00208FA1

Strings

0, xrefs: 00208E9F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d0bb6f23faa270ab79261cf49fd3ecfaea9c43c3b213c4d5aefa2984333e3748
Instruction ID: d69c2b07962cd7f278fff0cb76e2da2d9969ca280ccfd5f296d5e5e018b859d8
Opcode Fuzzy Hash: d0bb6f23faa270ab79261cf49fd3ecfaea9c43c3b213c4d5aefa2984333e3748
Instruction Fuzzy Hash: FE81A1715143029FDB10DF24D888A6B7BE9FB88354F140A1DF9C5972D2DB70D960CB62

Function 001DBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00241990,000000FF,00000000,00000030), ref: 001DBFAC
SetMenuItemInfoW.USER32(00241990,00000004,00000000,00000030), ref: 001DBFE1
Sleep.KERNEL32(000001F4), ref: 001DBFF3
GetMenuItemCount.USER32(?), ref: 001DC039
GetMenuItemID.USER32(?,00000000), ref: 001DC056
GetMenuItemID.USER32(?,-00000001), ref: 001DC082
GetMenuItemID.USER32(?,?), ref: 001DC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001DC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DC145

Strings

0, xrefs: 001DBF3D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 1bf324e688aa11697e4920b4e10b7a3ba9749bdb871ca63c8eba580736f3d3da
Instruction ID: bce0ddb9c4376533bb3d51f4be688c7525b3b6f3a17f642f7e334990cf6f4779
Opcode Fuzzy Hash: 1bf324e688aa11697e4920b4e10b7a3ba9749bdb871ca63c8eba580736f3d3da
Instruction Fuzzy Hash: ED6190B4900256EFDF25CF64DC88AEEBBB8EB05344F544656F811A3392C731AD44CBA0

Function 001DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001DDC46
_wcslen.LIBCMT ref: 001DDC50
_wcsstr.LIBVCRUNTIME ref: 001DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001DDCBC

Strings

StringFileInfo\, xrefs: 001DDC8F
%u.%u.%u.%u, xrefs: 001DDD9A
DefaultLangCodepage, xrefs: 001DDD1F
04090000, xrefs: 001DDCF2
\VarFileInfo\Translation, xrefs: 001DDCB4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b0f103ad6316219282172f076db89a1af24d2e12a4874e466cc4e71f1a3ed347
Instruction ID: 497e8ade240e9aa32e83bbee0ea6eec14fb441067ef48d0e44d6e4355a0a60db
Opcode Fuzzy Hash: b0f103ad6316219282172f076db89a1af24d2e12a4874e466cc4e71f1a3ed347
Instruction Fuzzy Hash: FB4104729402007AEF14B774AC07EBF776CEF66710F14416AF900A62D3EB749A158BA5

Function 001FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001FCD48

Part of subcall function 001FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001FCCAA
Part of subcall function 001FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001FCCBD
Part of subcall function 001FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001FCCCF
Part of subcall function 001FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001FCD05
Part of subcall function 001FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001FCCF3

Strings

RegDeleteKeyExW, xrefs: 001FCCC9
advapi32.dll, xrefs: 001FCCB8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b8cae3fbf26e30e6ff680b5c21d8774b660802de16223e384a35af39dc405aa6
Instruction ID: d91520abcb2186fd24f06c0ab6a17f3cb353cd8a5e49a50c81f85280eb226512
Opcode Fuzzy Hash: b8cae3fbf26e30e6ff680b5c21d8774b660802de16223e384a35af39dc405aa6
Instruction Fuzzy Hash: A23160B190122DBBDB208B94DD8CEFFBB7CEF55750F100165AA05E2241D7349A45EAE0

Function 001E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001E3D40
_wcslen.LIBCMT ref: 001E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001E3E55
CloseHandle.KERNEL32(00000000), ref: 001E3E60
CloseHandle.KERNEL32(00000000), ref: 001E3E6B

Strings

\??\%s, xrefs: 001E3D5B
\, xrefs: 001E3D77
:, xrefs: 001E3D82

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b22e1c039617f4dbb89ba058f1d4ceb88b53da5fb0affbc0395693da75626195
Instruction ID: d0b5e4093ca2bd039acea3df7623eeb371274db452c27245ef250d8c9b0e69d8
Opcode Fuzzy Hash: b22e1c039617f4dbb89ba058f1d4ceb88b53da5fb0affbc0395693da75626195
Instruction Fuzzy Hash: EA31AFB2900249ABDB219BA1DC4DFEF37BDFF88700F6041A5F919D6061EB7097448B24

Function 001DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001DE6B4

Part of subcall function 0018E551: timeGetTime.WINMM(?,?,001DE6D4), ref: 0018E555

Sleep.KERNEL32(0000000A), ref: 001DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001DE727
SetActiveWindow.USER32 ref: 001DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001DE773
Sleep.KERNEL32(000000FA), ref: 001DE77E
IsWindow.USER32 ref: 001DE78A
EndDialog.USER32(00000000), ref: 001DE79B

Strings

BUTTON, xrefs: 001DE719

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 80c8ef1d614f30f96ce6e8133cf7a0c1107e2360c5eaadf1acb95f3b65dcfd11
Instruction ID: ba5b764d96233d4d546e7a44f00bfb543d181afcab806a40cc3795182ef0abbc
Opcode Fuzzy Hash: 80c8ef1d614f30f96ce6e8133cf7a0c1107e2360c5eaadf1acb95f3b65dcfd11
Instruction Fuzzy Hash: 0321A7F4200310EFEB116F61FC8DA363BADF755349F510526F415852A2DB719C048A54

Function 001DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001DEAA7

Strings

alias PlayMe, xrefs: 001DEA36
status PlayMe mode, xrefs: 001DEA58
play PlayMe, xrefs: 001DEAA2
open , xrefs: 001DEA0C
play PlayMe wait, xrefs: 001DEA91
close PlayMe, xrefs: 001DEA6E, 001DEA9B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1bca198d40ac3459b9ec9f6caffe9cf03919ae8f3861c98218c801bb0fe097cd
Instruction ID: ed3990d9110d407aa5995a0937f12887757ce361df001fe12975717d5a39e0d0
Opcode Fuzzy Hash: 1bca198d40ac3459b9ec9f6caffe9cf03919ae8f3861c98218c801bb0fe097cd
Instruction Fuzzy Hash: 59117371AA025979D720F7A1DC4EEFF7ABCEBE2B00F40442A7415A60D1EF700915C5B0

Function 001D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001D5CE2
GetWindowRect.USER32(00000000,?), ref: 001D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001D5D59
GetDlgItem.USER32(?,00000002), ref: 001D5D69
GetWindowRect.USER32(00000000,?), ref: 001D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001D5DCF
GetDlgItem.USER32(?,000003E9), ref: 001D5DDD
GetWindowRect.USER32(00000000,?), ref: 001D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001D5E31
GetDlgItem.USER32(?,000003EA), ref: 001D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001D5E67

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d56a31af3158de9f58066403d1dd0cf85cc43cdc16c1bdfa08959a12a476f6e3
Instruction ID: ab8c97b66d4b0552161c2457cd437f5799b65262cf87f768c9eda9b5f7d2f0ca
Opcode Fuzzy Hash: d56a31af3158de9f58066403d1dd0cf85cc43cdc16c1bdfa08959a12a476f6e3
Instruction Fuzzy Hash: DA5104B1A00705AFDB14DF68DD89AAEBBBAFB48310F248229F515E7291D7709D00CB60

Function 00188BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00188F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00188BE8,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188FC5

DestroyWindow.USER32(?), ref: 00188C81
KillTimer.USER32(00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 001C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 001C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000), ref: 001C69D4
DeleteObject.GDI32(00000000), ref: 001C69E6

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8060bd8b8922c2f014f4bc5e581e319524aa3e827b2de687ca005f02fe404b65
Instruction ID: dfbc54025a2b62643c6515f9479049cf9622b0565a9693ecad713538f2552d60
Opcode Fuzzy Hash: 8060bd8b8922c2f014f4bc5e581e319524aa3e827b2de687ca005f02fe404b65
Instruction Fuzzy Hash: 1A617A74502710DFDB26AF14E94CB65B7F1FB51316F54461CE0429B9A4CB71EAA0CFA0

Function 00189838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

GetSysColor.USER32(0000000F), ref: 00189862

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8b2766a83c0814ee4a1657fedc9ab71d03204ad0087e96a5e5def11858e731ba
Instruction ID: 48b4e57bc80494565be62e1c1f5e61ade2f80b25a42d042bd3fb7f3169d021f3
Opcode Fuzzy Hash: 8b2766a83c0814ee4a1657fedc9ab71d03204ad0087e96a5e5def11858e731ba
Instruction Fuzzy Hash: CE41A371104744AFDB206F38AC88BB93B65AB17334F284619F9A6872E2C7719E42DF10

Function 001D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001D9717
LoadStringW.USER32(00000000,?,001BF7F8,00000001), ref: 001D9720

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001D9742
LoadStringW.USER32(00000000,?,001BF7F8,00000001), ref: 001D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001D9866

Strings

Line %d (File "%s"):, xrefs: 001D978F
^ ERROR, xrefs: 001D97FB
Error: , xrefs: 001D981D
Line %d:, xrefs: 001D97A0
%s (%d) : ==> %s: %s %s, xrefs: 001D984A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b503097d81d50bb26ce17f85186755120d1f587964657b562b94d27b1546bf05
Instruction ID: 8033612dfa7bf55a980ad696ad351c4c423a2bea707dd39c475ff3a0c5351d47
Opcode Fuzzy Hash: b503097d81d50bb26ce17f85186755120d1f587964657b562b94d27b1546bf05
Instruction Fuzzy Hash: BA416D72800209AACF14FBE0DD86DEEB77CAF25340F608165F60972192EB356F48DB61

Function 001D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D083C

Strings

\CLSID, xrefs: 001D0724
SOFTWARE\Classes\, xrefs: 001D070E
\IPC$, xrefs: 001D0784

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 836545b4dfcb4fc0693f75d7113eb2bb00d304383720b7bb5cf52c8f0b06ef96
Instruction ID: 2c8531d0af753ea143cd3b816e2a69caa49ae72df07ae6337436111e412f0144
Opcode Fuzzy Hash: 836545b4dfcb4fc0693f75d7113eb2bb00d304383720b7bb5cf52c8f0b06ef96
Instruction Fuzzy Hash: F8410A72C10229ABDF15EBA4DC85DEDB778FF58350F548129E915A72A1EB305E04CB90

Function 001F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F3C5C
CoInitialize.OLE32(00000000), ref: 001F3C8A
CoUninitialize.OLE32 ref: 001F3C94
_wcslen.LIBCMT ref: 001F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001F3F0E
CoGetObject.OLE32(?,00000000,0020FB98,?), ref: 001F3F2D
SetErrorMode.KERNEL32(00000000), ref: 001F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F3FC4
VariantClear.OLEAUT32(?), ref: 001F3FD8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b03ac51bae7a9ce5de316c77f242da63f8d77bfb473bc32fadcdecfe76339ec8
Instruction ID: 0286e0f55f3451eadff408536309036710c3c2faea74b6c3e3cc76e900d89be5
Opcode Fuzzy Hash: b03ac51bae7a9ce5de316c77f242da63f8d77bfb473bc32fadcdecfe76339ec8
Instruction Fuzzy Hash: A3C136B16083099FD700DF68C88492BB7E9FF89748F14491DFA9A9B251D731EE06CB52

Function 001E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001E7BA3
CoCreateInstance.OLE32(0020FD08,00000000,00000001,00236E6C,?), ref: 001E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001E7C74
CoTaskMemFree.OLE32(?,?), ref: 001E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001E7D7A
CoTaskMemFree.OLE32(00000000), ref: 001E7D81
CoTaskMemFree.OLE32(00000000), ref: 001E7DD6
CoUninitialize.OLE32 ref: 001E7DDC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7bea602d924f7a230ca3f0327871014c9c689ad3b634a81fdf8a08ad6cb2d2dc
Instruction ID: adadb7f534b05f5f072db425230e3ad3c61d41309a7fde6781b725798ec170f0
Opcode Fuzzy Hash: 7bea602d924f7a230ca3f0327871014c9c689ad3b634a81fdf8a08ad6cb2d2dc
Instruction Fuzzy Hash: F9C15C74A04609AFDB14DFA4C888DAEBBF9FF48304B148198E409DB261D730EE41CB90

Function 0020541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00205504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00205515
CharNextW.USER32(00000158), ref: 00205544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00205585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0020559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002055AC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6c60dd76169fffe6ac9535bbb23b3adb2d8535d2dcba19fcffaf808c10e49a61
Instruction ID: a2afdd8277381db9472a56fdec94594c78697e755c8e0ebe668a4e5b75a20446
Opcode Fuzzy Hash: 6c60dd76169fffe6ac9535bbb23b3adb2d8535d2dcba19fcffaf808c10e49a61
Instruction Fuzzy Hash: 88618D74920729ABDF108F54DC88DFF7BB9EB05320F104145F925A62D2D7749AA1DF60

Function 001CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001CFB08
VariantInit.OLEAUT32(?), ref: 001CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001CFB3A
VariantCopy.OLEAUT32(?,?), ref: 001CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001CFBA1
VariantClear.OLEAUT32(?), ref: 001CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001CFBCC
VariantClear.OLEAUT32(?), ref: 001CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001CFBE9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a17585d072a6ca4e207ea034204370c415176264e6fb4d38a2fe1a68a26b59fd
Instruction ID: ebdef8c02715f14caf98b6bc57282c704a7bd627aef455c4fd6c24e263a7f4b8
Opcode Fuzzy Hash: a17585d072a6ca4e207ea034204370c415176264e6fb4d38a2fe1a68a26b59fd
Instruction Fuzzy Hash: DD413075A002199FCB04DF64D858EEDBBB9FF58344F10816DE945A7262C730EE46CB90

Function 001D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001D9D22
GetKeyState.USER32(000000A0), ref: 001D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001D9D57
GetKeyState.USER32(000000A1), ref: 001D9D6C
GetAsyncKeyState.USER32(00000011), ref: 001D9D84
GetKeyState.USER32(00000011), ref: 001D9D96
GetAsyncKeyState.USER32(00000012), ref: 001D9DAE
GetKeyState.USER32(00000012), ref: 001D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001D9DD8
GetKeyState.USER32(0000005B), ref: 001D9DEA

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e8b076a89b4bb845d73318502874f9a285038337716e55d50b781bfbfe782fd5
Instruction ID: 734d5d6058ff2815acd52e52b9bb6a23e1b9cf59240056421e863a3950193aaf
Opcode Fuzzy Hash: e8b076a89b4bb845d73318502874f9a285038337716e55d50b781bfbfe782fd5
Instruction Fuzzy Hash: 66410A74504BC96DFF3097A4C8043B6BEE1AF11344F44805BDAC65B7C2EBA5A9C8C7A2

Function 001F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001F05BC
inet_addr.WSOCK32(?), ref: 001F061C
gethostbyname.WSOCK32(?), ref: 001F0628
IcmpCreateFile.IPHLPAPI ref: 001F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001F07B9
WSACleanup.WSOCK32 ref: 001F07BF

Strings

Ping, xrefs: 001F0676

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ed0d5721346390df94d55e24d355cda207d58cf16cc3103683a1ab022eceac0a
Instruction ID: 521589b5a1ffa2693282537d5a5a8c720f60926ace0cc219a6a45de1d23fd1c8
Opcode Fuzzy Hash: ed0d5721346390df94d55e24d355cda207d58cf16cc3103683a1ab022eceac0a
Instruction Fuzzy Hash: 7591AF746083019FD721DF15D888F2ABBE0AF48318F1586A9F5A98B6A3C770ED41CF91

Function 001F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001F8CF3

Part of subcall function 001D8E54: _wcslen.LIBCMT ref: 001D8E77

_wcslen.LIBCMT ref: 001F8D4E
_wcslen.LIBCMT ref: 001F8D9C
_wcslen.LIBCMT ref: 001F8DDC
_wcslen.LIBCMT ref: 001F8E6E

Strings

winapi, xrefs: 001F8D96, 001F8D9B
stdcall, xrefs: 001F8DD6, 001F8DDB
none, xrefs: 001F8E65, 001F8E6A
cdecl, xrefs: 001F8D48, 001F8D4D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 959334245fc98c62c6f80c0cc1410274732103c0ffec7c190bcdd5b2abf85067
Instruction ID: bd942c06a7236f151d0b5059f8fe48ac2c17bbb6c8fab36f8bba444262279d3d
Opcode Fuzzy Hash: 959334245fc98c62c6f80c0cc1410274732103c0ffec7c190bcdd5b2abf85067
Instruction Fuzzy Hash: 0051B272A0051A9BCF24DFACC9518BEB7A5BF74324B214229E626E72C5DF30DD41C790

Function 001F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001F3774
CoUninitialize.OLE32 ref: 001F377F
CoCreateInstance.OLE32(?,00000000,00000017,0020FB78,?), ref: 001F37D9
IIDFromString.OLE32(?,?), ref: 001F384C
VariantInit.OLEAUT32(?), ref: 001F38E4
VariantClear.OLEAUT32(?), ref: 001F3936

Strings

NULL Pointer assignment, xrefs: 001F381E
Invalid parameter, xrefs: 001F3865
Failed to create object, xrefs: 001F37E4, 001F389A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 37169320f417df2f6ef5bb3567c7bc85172628f3405cb8a7ea88dd6881e1658b
Instruction ID: ede2d0a71b05800e4e7de2b24ae6002061c72db33adae86cd7002238683550bb
Opcode Fuzzy Hash: 37169320f417df2f6ef5bb3567c7bc85172628f3405cb8a7ea88dd6881e1658b
Instruction Fuzzy Hash: 4161E0B0208305AFD311EF54D888F6AB7E8EF49740F104A09FA959B291C770EE48CB92

Function 00208B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

Part of subcall function 0018912D: GetCursorPos.USER32(?), ref: 00189141
Part of subcall function 0018912D: ScreenToClient.USER32(00000000,?), ref: 0018915E
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000001), ref: 00189183
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000002), ref: 0018919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00208B6B
ImageList_EndDrag.COMCTL32 ref: 00208B71
ReleaseCapture.USER32 ref: 00208B77
SetWindowTextW.USER32(?,00000000), ref: 00208C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00208C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00208CFF

Strings

@GUI_DRAGFILE, xrefs: 00208C9A
@GUI_DROPID, xrefs: 00208C51
p#$, xrefs: 00208C71

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#$
API String ID: 1924731296-1082444028
Opcode ID: fdc4adb746e66edc2d9e20a5e1e1014996d0a03ca0398d40080960d36da5e97e
Instruction ID: 8d519ca5aadf6e868cc0e895e0f021cebab6705c54a64af4814716afcc712a3e
Opcode Fuzzy Hash: fdc4adb746e66edc2d9e20a5e1e1014996d0a03ca0398d40080960d36da5e97e
Instruction Fuzzy Hash: F0519C71114304AFE704EF24DC5AFAA77E4FB88714F40062DF996572E2CB709964CB62

Function 001E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001E33CF

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001E33F0

Strings

Line %d (File "%s"):, xrefs: 001E3443, 001E345C
^ ERROR , xrefs: 001E349E
Error: , xrefs: 001E34D1
"%s" (%d) : ==> %s:, xrefs: 001E3522
Incorrect parameters to object property !, xrefs: 001E34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 001E3504

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 27b6377370590c5e02405eebfd90e1665947b81b9c6b006ffb20216e8089fa72
Instruction ID: 0cb38abac47d58780b91f60d3cae96962e8d93d26321b52a4ef79f5d62d74152
Opcode Fuzzy Hash: 27b6377370590c5e02405eebfd90e1665947b81b9c6b006ffb20216e8089fa72
Instruction Fuzzy Hash: EA51D171D00609BADF15EBA0DD4AEEEB778AF25300F208065F11973192EB312F68DB61

Function 001DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001DB5FC
_wcslen.LIBCMT ref: 001DB608
_wcslen.LIBCMT ref: 001DB64D
_wcslen.LIBCMT ref: 001DB68C
_wcslen.LIBCMT ref: 001DB6C7

Strings

KEYS, xrefs: 001DB647, 001DB64C
APPEND, xrefs: 001DB6C1, 001DB6C6
REMOVE, xrefs: 001DB602, 001DB607
EXISTS, xrefs: 001DB686, 001DB68B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 98d248d4419c73e899da0b121f904593877680546cee7fc0c62794db37b83e73
Instruction ID: 48bab2a46f151258f65831de77aaa3a1702d4b1bcc7f00be1ce62c66ae7d65e0
Opcode Fuzzy Hash: 98d248d4419c73e899da0b121f904593877680546cee7fc0c62794db37b83e73
Instruction Fuzzy Hash: 6241E832A08026DBCB105F7D88D05BEB7A5EFA4754B66422BE422D7384E735CD81C790

Function 001E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001E5416
GetLastError.KERNEL32 ref: 001E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001E54A7

Strings

READY, xrefs: 001E5460, 001E5468
NOTREADY, xrefs: 001E544B
INVALID, xrefs: 001E5459
READONLY, xrefs: 001E5452
UNKNOWN, xrefs: 001E5444

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 839c60b152e060d53598135fd0b38269bf3351059fe1542047f89174d2b3a932
Instruction ID: a69a87a2c1bfff965ae17eea8666c92ebfea085a2b3d3ce4c5546a9e7c982317
Opcode Fuzzy Hash: 839c60b152e060d53598135fd0b38269bf3351059fe1542047f89174d2b3a932
Instruction Fuzzy Hash: 0531D075A00A44DFC710DF69D488AAEBBF9EF14309F148065E405CB292E770ED86CBA0

Function 00203C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00203C79
SetMenu.USER32(?,00000000), ref: 00203C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00203D10
IsMenu.USER32(?), ref: 00203D24
CreatePopupMenu.USER32 ref: 00203D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00203D5B
DrawMenuBar.USER32 ref: 00203D63

Strings

0, xrefs: 00203C54
F, xrefs: 00203D4E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9abaa385cdacba33ec179fd1edd5c1ee9480271aac23a93702f9c04238c51b59
Instruction ID: b4af2a5fc10dc9167d2d2bd650163e042169407dba6618381f5106b50a823e0c
Opcode Fuzzy Hash: 9abaa385cdacba33ec179fd1edd5c1ee9480271aac23a93702f9c04238c51b59
Instruction Fuzzy Hash: 09417FB9611306EFDB14CF54E848A9A7BB9FF49350F140129F946A73A1D770AA20DF50

Function 001D1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001D1F64
GetDlgCtrlID.USER32 ref: 001D1F6F
GetParent.USER32 ref: 001D1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D1F8E
GetDlgCtrlID.USER32(?), ref: 001D1F97
GetParent.USER32(?), ref: 001D1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D1FAE

Strings

ComboBox, xrefs: 001D1EEC
ListBox, xrefs: 001D1F21

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4fc5f14fd64eb2ad02cd9db49a197b68d75d5b3c1c1356cad74e5859a24f1264
Instruction ID: 31922dacdc429ee6e737a58adb19ff3d7393570fbbce2e8d2cfaf29df03b0132
Opcode Fuzzy Hash: 4fc5f14fd64eb2ad02cd9db49a197b68d75d5b3c1c1356cad74e5859a24f1264
Instruction Fuzzy Hash: 0921D4B0A00214BBCF19AFA0DC85DEEBBB8EF55310F104216F965A7292CB355919DB60

Function 00203A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00203A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00203AA0
GetWindowLongW.USER32(?,000000F0), ref: 00203AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00203AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00203B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00203BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00203BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00203BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00203BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00203C13

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 54c97949d3f0a6a03ae2d43f9fd1a7f96d4cfdae748de6c670889e2963308ed8
Instruction ID: 13416c1678561bbd96e95726bf9a16f890bd800fafb59013df24ff2b8f84c218
Opcode Fuzzy Hash: 54c97949d3f0a6a03ae2d43f9fd1a7f96d4cfdae748de6c670889e2963308ed8
Instruction Fuzzy Hash: 18618C75900208AFDB10DF68CC81EEE77B8EB49704F10019AFA15E72E2D770AE91DB50

Function 001DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB165
GetWindowThreadProcessId.USER32(00000000), ref: 001DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB21D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6d92dfc34cd626990efba23a7562694a0b124f80d6cad36a13b97b6905840fb9
Instruction ID: 7c8cbc7886f500e39492fc6385b474672f704bed595381e9a67fc512af99c96e
Opcode Fuzzy Hash: 6d92dfc34cd626990efba23a7562694a0b124f80d6cad36a13b97b6905840fb9
Instruction Fuzzy Hash: 8F3180BA504204EFDB20DF24FCCCB6D7BB9AB52355F214216FA06D6291D7B4A9408F60

Function 001A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001A2C94

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001A2CA0
_free.LIBCMT ref: 001A2CAB
_free.LIBCMT ref: 001A2CB6
_free.LIBCMT ref: 001A2CC1
_free.LIBCMT ref: 001A2CCC
_free.LIBCMT ref: 001A2CD7
_free.LIBCMT ref: 001A2CE2
_free.LIBCMT ref: 001A2CED
_free.LIBCMT ref: 001A2CFB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 072b2ba1a88231a8fbe2310b8eae45f1b617764bf5ac32e30e4aba13f37a7277
Instruction ID: db9bb5ae162f5d728e6c4af8ab7083b21a499ef4a223cff2f5c94c29c8488a57
Opcode Fuzzy Hash: 072b2ba1a88231a8fbe2310b8eae45f1b617764bf5ac32e30e4aba13f37a7277
Instruction Fuzzy Hash: 4611B97A100118BFCB42EF58D842CEE3BA5FF16754F4144A5FA489F222D731EE509B91

Function 001E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001E7FC1
GetFileAttributesW.KERNEL32(?), ref: 001E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001E80B0

Strings

*.*, xrefs: 001E8066

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e8eefaed0ba66fa3c1a84e25af557bb9ec1ae823966be974e3a6fc9950937536
Instruction ID: 34a8da9e99840ca0708b102b2480cfbb29cfe523e7976d221e2b874e8a51c622
Opcode Fuzzy Hash: e8eefaed0ba66fa3c1a84e25af557bb9ec1ae823966be974e3a6fc9950937536
Instruction Fuzzy Hash: BA81C0725087819BDB24EF16C8449AEB3E8BF99310F144C5EF889D7291EB34DD49CB92

Function 00175BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00175C7A

Part of subcall function 00175D0A: GetClientRect.USER32(?,?), ref: 00175D30
Part of subcall function 00175D0A: GetWindowRect.USER32(?,?), ref: 00175D71
Part of subcall function 00175D0A: ScreenToClient.USER32(?,?), ref: 00175D99

GetDC.USER32 ref: 001B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001B4708
SelectObject.GDI32(00000000,00000000), ref: 001B4716
SelectObject.GDI32(00000000,00000000), ref: 001B472B
ReleaseDC.USER32(?,00000000), ref: 001B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001B47C4

Strings

U, xrefs: 001B4693

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 539d512b2c7d3f87b026cb93878aa29653bfa0285c997fa833e06852a646c71d
Instruction ID: 846395b535677321b179f0cf5cb89797f7bb0604b08a83eb4c8c114cc39c2165
Opcode Fuzzy Hash: 539d512b2c7d3f87b026cb93878aa29653bfa0285c997fa833e06852a646c71d
Instruction Fuzzy Hash: EC71F234400205DFCF25CF64C985AFA7BB6FF4A360F248269ED559A1A7C7319851DF50

Function 001E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001E35E4

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

LoadStringW.USER32(00242390,?,00000FFF,?), ref: 001E360A

Strings

Line %d (File "%s"):, xrefs: 001E366B
^ ERROR, xrefs: 001E36C9
"%s" (%d) : ==> %s:, xrefs: 001E3742
Error: , xrefs: 001E36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001E3724

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e006dcb2cd8d57c8c34e25ddf74af9245da221de036a7b7c475e1de716f2f166
Instruction ID: 579864fc795312c2d2a5b2ecb982bef8eb35505d42e7a76087aa53582f3ff491
Opcode Fuzzy Hash: e006dcb2cd8d57c8c34e25ddf74af9245da221de036a7b7c475e1de716f2f166
Instruction Fuzzy Hash: 13519F71C00649BBCF15EBA1DC46EEEBB78AF25300F148165F119721A2EB311B99DF61

Function 001EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001EC2CA
GetLastError.KERNEL32 ref: 001EC322
SetEvent.KERNEL32(?), ref: 001EC336
InternetCloseHandle.WININET(00000000), ref: 001EC341

Strings

, xrefs: 001EC2BB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 15a8c2e57d89e19d8104729fcf47d22b091c409bde69f4fc60eac748089b79a8
Instruction ID: 57eb97711102ef58fe120813f48d413273eb9ba286fbe56ce71f5701fd975938
Opcode Fuzzy Hash: 15a8c2e57d89e19d8104729fcf47d22b091c409bde69f4fc60eac748089b79a8
Instruction Fuzzy Hash: 99319FB1500B44AFD7219F669C88AAFBBFCFB59740B14851EF44692211DB30DD068BA0

Function 001D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001B3AAF,?,?,Bad directive syntax error,0020CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001D98BC
LoadStringW.USER32(00000000,?,001B3AAF,?), ref: 001D98C3

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001D9987

Strings

Line %d (File "%s"):, xrefs: 001D992D
., xrefs: 001D996D
Error: , xrefs: 001D9955
%s (%d) : ==> %s.: %s %s, xrefs: 001D98F1
Line %d:, xrefs: 001D9912

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 98a5dfd23617c36a6d72aca0321ec06ed40d4a62e5dcfe97655159a3f0659d0d
Instruction ID: 375ebe092a876e387e606181833b52c13a528e3e7b29b44886c63105d7aa4d32
Opcode Fuzzy Hash: 98a5dfd23617c36a6d72aca0321ec06ed40d4a62e5dcfe97655159a3f0659d0d
Instruction Fuzzy Hash: 43219171C1021EBBCF25AF90CC1AEEE7739FF28704F04845AF519660A2EB319628DB11

Function 001D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001D214D

Strings

details, xrefs: 001D20FB
smallicons, xrefs: 001D2115
SHELLDLL_DefView, xrefs: 001D20CC
largeicons, xrefs: 001D20E1
list, xrefs: 001D212F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d967b7a5d984b6ae594b5e7d9b3e0519321f954700e9e2a456a8b3662f65c1b7
Instruction ID: 9b85c6f50f48585821d5aafc3ca9604f17f5b2822d8578879630aad6399c119d
Opcode Fuzzy Hash: d967b7a5d984b6ae594b5e7d9b3e0519321f954700e9e2a456a8b3662f65c1b7
Instruction Fuzzy Hash: FB1159B6288316BAFA152320EC0BCA6739CCF25328F204217FB09A51D2FF71A8135614

Function 001A8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8710b689cff5a9479aadfbb8b91e3c05ee50043f0914071766016be2aac33c33
Instruction ID: e4dd31befff801b02cad726c7c7bf35e039f80babdf64e4d1602a4b8d077f7f1
Opcode Fuzzy Hash: 8710b689cff5a9479aadfbb8b91e3c05ee50043f0914071766016be2aac33c33
Instruction Fuzzy Hash: 8AC1E27CD04249AFDF11DFA8D985BADBBB4AF1B310F144199F918A7392CB309981CB61

Function 001ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001ACEB7
_free.LIBCMT ref: 001ACF22
_free.LIBCMT ref: 001ACF48
_free.LIBCMT ref: 001ACF71
_free.LIBCMT ref: 001ACFA9
_free.LIBCMT ref: 001ACFDA
_free.LIBCMT ref: 001AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001AD09C
_free.LIBCMT ref: 001AD0B5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8a6e5e64a3ff2b7cb4b0175fbb3317dd1d9cb5f2571366e478ea0415b4caf58
Instruction ID: 3712c5b2d07b24a88c53b5ae060f80895b0a34f78a38d20b289f35553ed99c62
Opcode Fuzzy Hash: b8a6e5e64a3ff2b7cb4b0175fbb3317dd1d9cb5f2571366e478ea0415b4caf58
Instruction Fuzzy Hash: D06165BAD04310AFDF25AFB8A885A7A7BA5EF13720F04416DFA55A7282D7319D0187D0

Function 002050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00205186
ShowWindow.USER32(?,00000000), ref: 002051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002051D1

Part of subcall function 00206FBA: DeleteObject.GDI32(00000000), ref: 00206FE6

GetWindowLongW.USER32(?,000000F0), ref: 0020520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0020521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0020524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00205287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00205296

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 2d91c001f3cfd6bc5f11aa4a89efb37f79a355609801b89f2c3f793fcee972bf
Instruction ID: d09458797c67b9a42c921d95378ca4e47737f099433ea6c1a5fbe90da74e5a52
Opcode Fuzzy Hash: 2d91c001f3cfd6bc5f11aa4a89efb37f79a355609801b89f2c3f793fcee972bf
Instruction Fuzzy Hash: C851B130A70B29FFEF249F24CC49B9A7B65EF05320F144111FA19962E2C7B5A9A0DF41

Function 00188B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00188874,00000000,00000000,00000000,000000FF,00000000), ref: 001C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00188874,00000000,00000000,00000000,000000FF,00000000), ref: 001C692D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0ac4499206e34a00d8f62cd9a5c43f0a291818b0f8d256717be76857e4345274
Instruction ID: 923286f28d3f95e7f71d0200b2edd0254c89ed2fe6653bde7f72bd91917ef965
Opcode Fuzzy Hash: 0ac4499206e34a00d8f62cd9a5c43f0a291818b0f8d256717be76857e4345274
Instruction Fuzzy Hash: 865169B4600309AFDB24EF24DC95FAA7BB5FB98750F104618F916972A0DB70EA90DF50

Function 001EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001EC182
GetLastError.KERNEL32 ref: 001EC195
SetEvent.KERNEL32(?), ref: 001EC1A9

Part of subcall function 001EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001EC272
Part of subcall function 001EC253: GetLastError.KERNEL32 ref: 001EC322
Part of subcall function 001EC253: SetEvent.KERNEL32(?), ref: 001EC336
Part of subcall function 001EC253: InternetCloseHandle.WININET(00000000), ref: 001EC341

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: c7bf1f451f0fbca9a28c4f824b3b43ae4d132d5facd5ecb6131d396173049d28
Instruction ID: 74cbf73b471e0379dbf4e851e7b55152351ad239ecea4bbb536f8971e4fdfa72
Opcode Fuzzy Hash: c7bf1f451f0fbca9a28c4f824b3b43ae4d132d5facd5ecb6131d396173049d28
Instruction Fuzzy Hash: B53192B1100B82EFDB259FA6EC48A6BBBF9FF58300B14451DFA5682611D730E815DBA0

Function 001D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001D2627

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 400941fc0bcb131190f1b242a8c09a9b1d8160999ae6584e502ae52b4bc2dafe
Instruction ID: 3f8cdf075cae21225adc2724c3df126201a183c99f68324caae4a5d76cd1b532
Opcode Fuzzy Hash: 400941fc0bcb131190f1b242a8c09a9b1d8160999ae6584e502ae52b4bc2dafe
Instruction Fuzzy Hash: AE01D871390310BBFB206768AC8EF597F5DDB5EB11F200112F328AF1D2C9F254448AAA

Function 001D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001D1449,?,?,00000000), ref: 001D180C
HeapAlloc.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1449,?,?,00000000), ref: 001D1828
GetCurrentProcess.KERNEL32(?,00000000,?,001D1449,?,?,00000000), ref: 001D1830
DuplicateHandle.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1449,?,?,00000000), ref: 001D1843
GetCurrentProcess.KERNEL32(001D1449,00000000,?,001D1449,?,?,00000000), ref: 001D184B
DuplicateHandle.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D184E
CreateThread.KERNEL32(00000000,00000000,001D1874,00000000,00000000,00000000), ref: 001D1868

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 91cee7b87dbb0192dcc84f15ec56f0ac6dd3646a51488d5fc36e4a5ea9a542f6
Instruction ID: 38b5fa05fa50313692e502d0c9998596d37c1b133d8786d8b7e715fc91b7dd43
Opcode Fuzzy Hash: 91cee7b87dbb0192dcc84f15ec56f0ac6dd3646a51488d5fc36e4a5ea9a542f6
Instruction Fuzzy Hash: B401BFB5240304BFE710AB65EC4DF577B6CEB89B11F104511FA05DB192C6709800CB20

Function 001FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001DD501
Part of subcall function 001DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001DD50F
Part of subcall function 001DD4DC: CloseHandle.KERNELBASE(00000000), ref: 001DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FA16D
GetLastError.KERNEL32 ref: 001FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001FA268
GetLastError.KERNEL32(00000000), ref: 001FA273
CloseHandle.KERNEL32(00000000), ref: 001FA2C4

Strings

SeDebugPrivilege, xrefs: 001FA18F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b6438628da07b16db13e8e12a9a7842c418d6efb5e6410892003ffa6e763c355
Instruction ID: 9f4c3ca2ce3f8bfc494ce4297bfbdbd330f3ee7b544e13d0dce0470e12100c48
Opcode Fuzzy Hash: b6438628da07b16db13e8e12a9a7842c418d6efb5e6410892003ffa6e763c355
Instruction Fuzzy Hash: AE61B0B0208242AFD710DF18C494F29BBE1AF54318F59C48CE56A4B7A3C776ED45CB92

Function 00203886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00203925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0020393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00203954
_wcslen.LIBCMT ref: 00203999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002039F4

Strings

SysListView32, xrefs: 002038F7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 8fc33ed5cd36620aa9eeb03a919ef7f403c0395a461fee3ab9cf17980772fdd3
Instruction ID: 5549e3558b11b54f898d3abbe4751049918eb998d99f94049b5b3edb0043914d
Opcode Fuzzy Hash: 8fc33ed5cd36620aa9eeb03a919ef7f403c0395a461fee3ab9cf17980772fdd3
Instruction Fuzzy Hash: 9D419371A10319ABEF21DF64CC49BEA77ADEF48350F100566F958E72C2D77199A0CB90

Function 001DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DBCFD
IsMenu.USER32(00000000), ref: 001DBD1D
CreatePopupMenu.USER32 ref: 001DBD53
GetMenuItemCount.USER32(017E4C98), ref: 001DBDA4
InsertMenuItemW.USER32(017E4C98,?,00000001,00000030), ref: 001DBDCC

Strings

0, xrefs: 001DBCA8
2, xrefs: 001DBD37

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f3fd318f8f3f1ae61387295bb89f0597458f6b6878eca6320640a01628a0e731
Instruction ID: 8d5bdadbb2119adadae628265c2b7f0f8b64afa3557224c927fcfb874b61bf89
Opcode Fuzzy Hash: f3fd318f8f3f1ae61387295bb89f0597458f6b6878eca6320640a01628a0e731
Instruction Fuzzy Hash: 49519E70608A05DBDF14CFE8D8C8BAEBBF6BF59318F25425AE442A7391D7709940CB61

Function 001DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001DC913

Strings

question, xrefs: 001DC8CC
info, xrefs: 001DC8B4
warning, xrefs: 001DC8FC
blank, xrefs: 001DC895
stop, xrefs: 001DC8E4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 30d5c5faecb02c39474717dfc530c9ea5b80ac500a86944934438a96fd99572d
Instruction ID: 2e35b3d5ce44e91a88809e78861bf84496a7cb3ac17c660e94df2d81ad20e3d8
Opcode Fuzzy Hash: 30d5c5faecb02c39474717dfc530c9ea5b80ac500a86944934438a96fd99572d
Instruction Fuzzy Hash: D1113D32689307BBEB095B54DC93CAA679CDF16328B60452FF501A6382D7705D0092E4

Function 001DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001DDE42
gethostname.WSOCK32(?,00000100), ref: 001DDE5C
gethostbyname.WSOCK32(?), ref: 001DDE69
inet_ntoa.WSOCK32(?), ref: 001DDEAB
_strcat.LIBCMT ref: 001DDEB9
WSACleanup.WSOCK32 ref: 001DDEDE

Strings

0.0.0.0, xrefs: 001DDE87

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 38b59a7d2beb23bc2f8720aec0c7df91271c95d284d2933462a8dce543e17739
Instruction ID: 8c8eb39cd613516427ba20487270903377f3a2be934ef401ec489800f46b0ce4
Opcode Fuzzy Hash: 38b59a7d2beb23bc2f8720aec0c7df91271c95d284d2933462a8dce543e17739
Instruction Fuzzy Hash: 2D110A71504204AFDB246B64EC0AEDE77BCDF25711F1101AAF40596292EF718A818B51

Function 001DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001DED2A
_wcslen.LIBCMT ref: 001DED3B
_wcslen.LIBCMT ref: 001DED79
_wcslen.LIBCMT ref: 001DEDAF
_wcslen.LIBCMT ref: 001DEDDF
_wcslen.LIBCMT ref: 001DEDEF
_wcslen.LIBCMT ref: 001DEE2B
_wcslen.LIBCMT ref: 001DEE5A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c35aa9a892ddea8c95522bb86f4974fb1b8bc61352d9190a522f777c0b486a8e
Instruction ID: 722078e8704b7993958697dd7ddf7e8c70424de324e2ac9f2660a1f701e224b3
Opcode Fuzzy Hash: c35aa9a892ddea8c95522bb86f4974fb1b8bc61352d9190a522f777c0b486a8e
Instruction Fuzzy Hash: 75418065C1021876CF11FBF48C8A9DFB7A8AF55710F508562E518E3222FB34E255C3A6

Function 0018F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 0018F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 001CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 001CF454

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: aecefecba8dfe94e9128966e7e8aaa43ceeb4597a3d595c7f961bdbde0644d9d
Instruction ID: a2d523dc94064c191dfc8f72436a656d624a173a442e30c030d1c2506bb03acd
Opcode Fuzzy Hash: aecefecba8dfe94e9128966e7e8aaa43ceeb4597a3d595c7f961bdbde0644d9d
Instruction Fuzzy Hash: D9413D30A14780FAC73DAB29D88CB2A7B96BB66318F15413CF04752561C735DA83CF11

Function 00202D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00202D1B
GetDC.USER32(00000000), ref: 00202D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00202D2E
ReleaseDC.USER32(00000000,00000000), ref: 00202D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00202D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00202D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00205A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00202DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00202DE1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7ba4196578d69a5660e48475c3de4e37783e1dc98bc77c1e27b0bc114c5e8c5d
Instruction ID: 5719ed246c5534a850d5213df7745304750072da0a5e1002ff4135314544e25f
Opcode Fuzzy Hash: 7ba4196578d69a5660e48475c3de4e37783e1dc98bc77c1e27b0bc114c5e8c5d
Instruction Fuzzy Hash: FD3189B2211214BBEB258F50DC8AFEB3BADEB49711F144156FE089A2D2C6759C51CBA0

Function 001D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001D5637
_memcmp.LIBVCRUNTIME ref: 001D5659
_memcmp.LIBVCRUNTIME ref: 001D5671
_memcmp.LIBVCRUNTIME ref: 001D5684
_memcmp.LIBVCRUNTIME ref: 001D569E
_memcmp.LIBVCRUNTIME ref: 001D56B1
_memcmp.LIBVCRUNTIME ref: 001D56C9
_memcmp.LIBVCRUNTIME ref: 001D56E4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 82a67efa36f831834a9e48b05a36ef357dac99ed6d639cc023ead76cadfb74cb
Instruction ID: efe8a73c0ea42aeda3e57901c5192e32576b3d36dba8e4b209dd7fa60c43282d
Opcode Fuzzy Hash: 82a67efa36f831834a9e48b05a36ef357dac99ed6d639cc023ead76cadfb74cb
Instruction Fuzzy Hash: 3221AA71A84B09B7E71995108E82FFA336FBF21394F540023FD045AB82F720EE6085A5

Function 001F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001F502E, 001F5383
Not an Object type, xrefs: 001F5007

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 728503306c1579eb7d8368645da188385e1ed9862ea04005a84f680d891ae8e4
Instruction ID: de6476db250fd5928f2bcc4351ec84afc2278a571bf802e8b570fef7c4f746e1
Opcode Fuzzy Hash: 728503306c1579eb7d8368645da188385e1ed9862ea04005a84f680d891ae8e4
Instruction Fuzzy Hash: D5D1A175A0060EAFDF14CF98C881BBEB7B6BF48344F158169EA15AB281D770ED41CB90

Function 001B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001B17FB,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B16FB

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B1777
__freea.LIBCMT ref: 001B17A2
__freea.LIBCMT ref: 001B17AE

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d06a9e0ecd319b6d101817921c082a599d84dc71135e8e8239894eda8393a16a
Instruction ID: 7ee038fe738027bae469ffa3369ee4665b3eb5881b766da3a3ac1427e5266098
Opcode Fuzzy Hash: d06a9e0ecd319b6d101817921c082a599d84dc71135e8e8239894eda8393a16a
Instruction Fuzzy Hash: 1591D872E10216BEDF248FB4C861AEEBBB5AF4A310F9A0659F805E7141DB35DD40CB60

Function 001F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F4648
VariantInit.OLEAUT32(?), ref: 001F4749
VariantClear.OLEAUT32(?), ref: 001F4753
VariantClear.OLEAUT32(?), ref: 001F47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001F45D8, 001F4706, 001F47BE
Incorrect Object type in FOR..IN loop, xrefs: 001F472C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 42b4a0b0606f0a2c93ca124d74079543f5cbcb2aa343b8713d51f7a3b03d7845
Instruction ID: 6e7cf2cb86629e8334e39ccf990d8ab0b461573f54b5428bfb99be1efbad7fa3
Opcode Fuzzy Hash: 42b4a0b0606f0a2c93ca124d74079543f5cbcb2aa343b8713d51f7a3b03d7845
Instruction Fuzzy Hash: FF918171A00219ABDF24DFA5D884FBFBBB8EF46714F108659F605AB281D7709941CFA0

Function 001E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E1430

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fc6ae7f94ef664086eea2476200c22f1844242215b3476c98406f9a1f1e5dbcf
Instruction ID: 0f574e2656bade8fdfd1d281406de59404aa4acb5e5adc1b7261d3312ba22141
Opcode Fuzzy Hash: fc6ae7f94ef664086eea2476200c22f1844242215b3476c98406f9a1f1e5dbcf
Instruction Fuzzy Hash: 4391F572A00649AFDB01DFA5D884BFEB7B5FF55724F214029EA00EB292D774AD41CB90

Function 0018948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 52df6c5e1d9a4fc8945e26797e71396170142dcb5fd055686b4927090a6ada15
Instruction ID: 3e2d39698482431cf4b746be8403104f5351a144342d7348ac086429aa9d0549
Opcode Fuzzy Hash: 52df6c5e1d9a4fc8945e26797e71396170142dcb5fd055686b4927090a6ada15
Instruction Fuzzy Hash: 18911871D00219EFCB14DFA9C888AEEBBB9FF49320F28455AE515B7251D374AA41CF60

Function 001F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F396B
CharUpperBuffW.USER32(?,?), ref: 001F3A7A
_wcslen.LIBCMT ref: 001F3A8A
VariantClear.OLEAUT32(?), ref: 001F3C1F

Part of subcall function 001E0CDF: VariantInit.OLEAUT32(00000000), ref: 001E0D1F
Part of subcall function 001E0CDF: VariantCopy.OLEAUT32(?,?), ref: 001E0D28
Part of subcall function 001E0CDF: VariantClear.OLEAUT32(?), ref: 001E0D34

Strings

AUTOIT.ERROR, xrefs: 001F3A80, 001F3A85
Incorrect Parameter format, xrefs: 001F39A6, 001F3BA1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cc8c55e5d0da1172bc9f01c0076cb7a407df15fc949682c9ef3fcec14913afb5
Instruction ID: cdd7e4b7078e30b84cc5a0da135e9d0f77528fd6c95bed537e516ee9f64dfca6
Opcode Fuzzy Hash: cc8c55e5d0da1172bc9f01c0076cb7a407df15fc949682c9ef3fcec14913afb5
Instruction Fuzzy Hash: 489178746083099FCB04EF24C49196AB7E4FF98314F14892EF99A9B351DB31EE45CB92

Function 001F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?,?,001D035E), ref: 001D002B
Part of subcall function 001D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0046
Part of subcall function 001D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0054
Part of subcall function 001D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?), ref: 001D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001F4C51
_wcslen.LIBCMT ref: 001F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001F4DCF
CoTaskMemFree.OLE32(?), ref: 001F4DDA

Strings

NULL Pointer assignment, xrefs: 001F4E23, 001F4E52

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3f635093f4b32361b55a7f918ad3460ed119b41e3624cdf73bb6f43eadf0b5e7
Instruction ID: 9265d0c79887e73b2dc1808ad4871ed15890b42820fa0881d5723e45854ef96f
Opcode Fuzzy Hash: 3f635093f4b32361b55a7f918ad3460ed119b41e3624cdf73bb6f43eadf0b5e7
Instruction Fuzzy Hash: C9912871D0021DAFDF15DFA4D881AEEB7B8BF18314F10816AE919AB251EB349A44CF60

Function 002020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00202183
GetMenuItemCount.USER32(00000000), ref: 002021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002021DD
_wcslen.LIBCMT ref: 00202213
GetMenuItemID.USER32(?,?), ref: 0020224D
GetSubMenu.USER32(?,?), ref: 0020225B

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002022E3

Part of subcall function 001DE97B: Sleep.KERNEL32 ref: 001DE9F3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 465b79742160a3bd66bfb81e4e604ba35040c7630bf51a8774068814f19d0df1
Instruction ID: 75634f17e94d5052e6b3e1f52da0ec8839bbe2b14c190ef8104e7d4618442e31
Opcode Fuzzy Hash: 465b79742160a3bd66bfb81e4e604ba35040c7630bf51a8774068814f19d0df1
Instruction Fuzzy Hash: 05717075A10305EFCB14DFA4C849AAEB7F5EF48310F14845AE81AEB382D774AE458B90

Function 00207E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(017E4B30), ref: 00207F37
IsWindowEnabled.USER32(017E4B30), ref: 00207F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0020801E
SendMessageW.USER32(017E4B30,000000B0,?,?), ref: 00208051
IsDlgButtonChecked.USER32(?,?), ref: 00208089
GetWindowLongW.USER32(017E4B30,000000EC), ref: 002080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002080C3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 94be410c8b13d487820ececd3352d17ec2bf7e509ce22af948273293965d703c
Instruction ID: 10946539d89d87339ff17abdd2b22df21bb672fd2f2617315d3d232212e5e186
Opcode Fuzzy Hash: 94be410c8b13d487820ececd3352d17ec2bf7e509ce22af948273293965d703c
Instruction Fuzzy Hash: 07719374918306AFEF259F54C888FAA7BB9EF59300F144459E945972D2CB31B865CB10

Function 001DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001DAEF9
GetKeyboardState.USER32(?), ref: 001DAF0E
SetKeyboardState.USER32(?), ref: 001DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001DB020

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9d81abe34fe08fc3ac2aa98da682fb15c15679beb5d2f9aff4bb35f923b77482
Instruction ID: f1df6970d18b585485ffcb2c7c79a066827b15b7da52802db04e36f68f44d7ad
Opcode Fuzzy Hash: 9d81abe34fe08fc3ac2aa98da682fb15c15679beb5d2f9aff4bb35f923b77482
Instruction Fuzzy Hash: 7151C1A16087D57DFB3683348885BBFBEA95F06304F08858AF1DA459C2C399ADC8D751

Function 001DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001DAD19
GetKeyboardState.USER32(?), ref: 001DAD2E
SetKeyboardState.USER32(?), ref: 001DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001DAE38

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e508d7152749728964dc15e83748c47ad9c0d12c59ab123c0d4e749ebd317a9
Instruction ID: f0bc265958d987a7f72c43725fd55ab9eb5f844da26beb067a04516d116eee6a
Opcode Fuzzy Hash: 1e508d7152749728964dc15e83748c47ad9c0d12c59ab123c0d4e749ebd317a9
Instruction Fuzzy Hash: 255104A15087D53DFB36C3748C95B7ABFA95F46300F48858AE1D546AC3C394EC88E762

Function 001A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001B3CD6,?,?,?,?,?,?,?,?,001A5BA3,?,?,001B3CD6,?,?), ref: 001A5470
__fassign.LIBCMT ref: 001A54EB
__fassign.LIBCMT ref: 001A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001B3CD6,00000005,00000000,00000000), ref: 001A552C
WriteFile.KERNEL32(?,001B3CD6,00000000,001A5BA3,00000000,?,?,?,?,?,?,?,?,?,001A5BA3,?), ref: 001A554B
WriteFile.KERNEL32(?,?,00000001,001A5BA3,00000000,?,?,?,?,?,?,?,?,?,001A5BA3,?), ref: 001A5584

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f5d40dbeec0bb8a00e2ea8e1d17e5a8b978946fb2888088496293532d1d245d0
Instruction ID: 77fd8e4a1b435cbcfaff8ff3f78035fa704ffde0c6fa13dec5975a47a750bae9
Opcode Fuzzy Hash: f5d40dbeec0bb8a00e2ea8e1d17e5a8b978946fb2888088496293532d1d245d0
Instruction Fuzzy Hash: 2A51A4B5D046499FDB10CFA8D885AEEBBFAEF0A300F14415AF955E7291D7309A41CB60

Function 00192D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00192D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00192D53
_ValidateLocalCookies.LIBCMT ref: 00192DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00192E0C
_ValidateLocalCookies.LIBCMT ref: 00192E61

Strings

csm, xrefs: 00192DF6

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c05c003296890805b4162a8d0afa1cc4f74f086cbb25feb2a38d3d438853c942
Instruction ID: f58b99823fd5b488740eb0d823ba48eb615ad1c9caaaeaf10e82859437dfc2b7
Opcode Fuzzy Hash: c05c003296890805b4162a8d0afa1cc4f74f086cbb25feb2a38d3d438853c942
Instruction Fuzzy Hash: 5A41CF34E01209BBCF14DFA8C885A9EBBF5BF55324F148155E814AB392D771AE12CBD0

Function 001F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
Part of subcall function 001F304E: _wcslen.LIBCMT ref: 001F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001F1112
WSAGetLastError.WSOCK32 ref: 001F1121
WSAGetLastError.WSOCK32 ref: 001F11C9
closesocket.WSOCK32(00000000), ref: 001F11F9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 535ac60cb25e4ebb97e525d1d9ab4a4341178ab423ea30460bb27b9d670dbb34
Instruction ID: af2dd6e808040e3ec5942a1b5d78de3f8e14afbcead1d584c84c2c25c3d4fe62
Opcode Fuzzy Hash: 535ac60cb25e4ebb97e525d1d9ab4a4341178ab423ea30460bb27b9d670dbb34
Instruction Fuzzy Hash: A141D471604608EFDB109F24D888BB9B7E9EF45324F148159FE199B292C770AE41CBE1

Function 001DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001DCF22,?), ref: 001DDDFD

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001DCF22,?), ref: 001DDE16

lstrcmpiW.KERNEL32(?,?), ref: 001DCF45
MoveFileW.KERNEL32(?,?), ref: 001DCF7F
_wcslen.LIBCMT ref: 001DD005
_wcslen.LIBCMT ref: 001DD01B
SHFileOperationW.SHELL32(?), ref: 001DD061

Strings

\*.*, xrefs: 001DCFF3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: fd5eebfc11b03fe388447335ed8360462d26c1f7a953895d89bbce3e8a7c3dd0
Instruction ID: 71c94d871f8da71699f100517b7902f7e985bca4ea84b8214f4aa1623203d956
Opcode Fuzzy Hash: fd5eebfc11b03fe388447335ed8360462d26c1f7a953895d89bbce3e8a7c3dd0
Instruction Fuzzy Hash: 2D4147B19452195FDF12EFA4DD81EDEB7B9AF18380F1004E7E509EB242EB34A648CB50

Function 00202DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00202E1C
GetWindowLongW.USER32(?,000000F0), ref: 00202E4F
GetWindowLongW.USER32(?,000000F0), ref: 00202E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00202EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00202EE0
GetWindowLongW.USER32(?,000000F0), ref: 00202EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00202F0B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2491752fd4cd4c59e4d1e10a86320669628f4022a24c8f64aa2b21689ea528ca
Instruction ID: e4b866644a65dae9e3552d9be54d118cb57c11a38a95f6ec6fbdb037f5d5ac04
Opcode Fuzzy Hash: 2491752fd4cd4c59e4d1e10a86320669628f4022a24c8f64aa2b21689ea528ca
Instruction Fuzzy Hash: DD310334694251EFDB218F58EC8CF6537A4EB8A750F240166FA049F2F3CB71B8A49B00

Function 001D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D778F
SysAllocString.OLEAUT32(00000000), ref: 001D7792
SysAllocString.OLEAUT32(?), ref: 001D77B0
SysFreeString.OLEAUT32(?), ref: 001D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001D77DE
SysAllocString.OLEAUT32(?), ref: 001D77EC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 64da4e92d625e99fe2790300cd3b78c9c2075649fad770805bc58ef305eec6e1
Instruction ID: d8eefecca421e024ee9d858062f314e217fbf866399d39303d83c26255a4d046
Opcode Fuzzy Hash: 64da4e92d625e99fe2790300cd3b78c9c2075649fad770805bc58ef305eec6e1
Instruction Fuzzy Hash: F021B276604219AFDB10EFA8DC8CCBB73ACFB093647108526FA04DB291E770DC418B60

Function 001D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7868
SysAllocString.OLEAUT32(00000000), ref: 001D786B
SysAllocString.OLEAUT32 ref: 001D788C
SysFreeString.OLEAUT32 ref: 001D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001D78AF
SysAllocString.OLEAUT32(?), ref: 001D78BD

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 031b75d9aa46c094e86c2a2294b8daab4c1a6fc93d63d4152291836aa904deaf
Instruction ID: 4f1274e517242a44edfa962aca949f52816cdff4ba271c53393357f47c7949de
Opcode Fuzzy Hash: 031b75d9aa46c094e86c2a2294b8daab4c1a6fc93d63d4152291836aa904deaf
Instruction Fuzzy Hash: 71214F75608204AFDB10AFA8DC8DDAA77ECFB097607118126F915CB2E1EB74DC41DB64

Function 001E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E052E

Strings

nul, xrefs: 001E0567

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 627d5ab0f9702b60c65d76385cc09a34b1d796bd9e6414f56e08fdee75a39eb3
Instruction ID: 97ff86203e82863111fc62f4295cff1b7a3a098632d3b857abc8ba214aca15dd
Opcode Fuzzy Hash: 627d5ab0f9702b60c65d76385cc09a34b1d796bd9e6414f56e08fdee75a39eb3
Instruction Fuzzy Hash: 7E2180B1500745AFDB219F2ADC08A9E77B4BF49724F244A19F8A1D62E0D7B0D980CF20

Function 001E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E0601

Strings

nul, xrefs: 001E0639

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2c76623f7d72858151ed54319085af684491d23c6dddd005b969745cdc46006b
Instruction ID: 3c98e56fe565d6e5e972642c8c673aad224d888197545d68bb7f3a42cbce4d4d
Opcode Fuzzy Hash: 2c76623f7d72858151ed54319085af684491d23c6dddd005b969745cdc46006b
Instruction Fuzzy Hash: 0A2171755007459FDB219F6A9C04B5E77E4BF9D720F244B19F8A1E72E0D7B098A1CB10

Function 002040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0017600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
Part of subcall function 0017600E: GetStockObject.GDI32(00000011), ref: 00176060
Part of subcall function 0017600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00204112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0020411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0020412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00204139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00204145

Strings

Msctls_Progress32, xrefs: 002040E3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2c06360159c39fc9ec66640c465df212b016c4952eb18b49b5de2c169c94f767
Instruction ID: 82ff81d4511e04f955a88961e6eeb51b11b4d6f26eabce0e3179ef7cfe078592
Opcode Fuzzy Hash: 2c06360159c39fc9ec66640c465df212b016c4952eb18b49b5de2c169c94f767
Instruction Fuzzy Hash: 1011B6B215021DBEEF119F64CC85EE77F6DEF09798F008110B718A2091CB729C61DBA4

Function 001AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001AD7A3: _free.LIBCMT ref: 001AD7CC

_free.LIBCMT ref: 001AD82D

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001AD838
_free.LIBCMT ref: 001AD843
_free.LIBCMT ref: 001AD897
_free.LIBCMT ref: 001AD8A2
_free.LIBCMT ref: 001AD8AD
_free.LIBCMT ref: 001AD8B8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bc3552315721127901d1960116a5ab5cc1711b018583edef86f9b4f3b920ad34
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D3118E75540F14AAD621BFF0DC07FDB7BDCAF22B04F400825F29AA68A2DB34B5058662

Function 001DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001DDA74
LoadStringW.USER32(00000000), ref: 001DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001DDA91
LoadStringW.USER32(00000000), ref: 001DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001DDAB9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f927f779ae63dc0b50b2ac0f0a86c6dd097cf99b10d79406497dca1665307863
Instruction ID: 67e6c5f6196f1952bebde80e699116076d74412b47dc98b08e421a99db6c5e1f
Opcode Fuzzy Hash: f927f779ae63dc0b50b2ac0f0a86c6dd097cf99b10d79406497dca1665307863
Instruction Fuzzy Hash: F50186F69003087FE7109BA4ED8DEE7736CE708301F504592B706E2182E6749E844F74

Function 001E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(017DD540,017DD540), ref: 001E097B
EnterCriticalSection.KERNEL32(017DD520,00000000), ref: 001E098D
TerminateThread.KERNEL32(?,000001F6), ref: 001E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001E09A9
CloseHandle.KERNEL32(?), ref: 001E09B8
InterlockedExchange.KERNEL32(017DD540,000001F6), ref: 001E09C8
LeaveCriticalSection.KERNEL32(017DD520), ref: 001E09CF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fa885fa4c4ec4f4818b3338f43bdbf86a9b8c2152cc75bc0b49d65c88278df86
Instruction ID: 87c50a26374dfb13bcf15fcdc0df98ee0ad4c94bed0b9c291729dea9f88e9066
Opcode Fuzzy Hash: fa885fa4c4ec4f4818b3338f43bdbf86a9b8c2152cc75bc0b49d65c88278df86
Instruction Fuzzy Hash: FEF01D71442A02AFD7426F94EE8CADABA25BF05702F501225F10150CA2C7749465CF90

Function 001F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001F1DE1
WSAGetLastError.WSOCK32 ref: 001F1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001F1EDB
inet_ntoa.WSOCK32(?), ref: 001F1E8C

Part of subcall function 001D39E8: _strlen.LIBCMT ref: 001D39F2

Part of subcall function 001F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001EEC0C), ref: 001F3240

_strlen.LIBCMT ref: 001F1F35

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 7f485d0f35aa3412bd537f6c6a5d66cd787307b3f80af622274971db5d6f74fa
Instruction ID: bf0dc6627870ea319834b36c68b26a8ef672ec62ba980616f74537eb538cd69a
Opcode Fuzzy Hash: 7f485d0f35aa3412bd537f6c6a5d66cd787307b3f80af622274971db5d6f74fa
Instruction Fuzzy Hash: EDB1BE31204344AFC324EF24C895E3A7BB5AF94318F54854CF55A5B2E2DB31EE46CB91

Function 00175D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00175D30
GetWindowRect.USER32(?,?), ref: 00175D71
ScreenToClient.USER32(?,?), ref: 00175D99
GetClientRect.USER32(?,?), ref: 00175ED7
GetWindowRect.USER32(?,?), ref: 00175EF8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ba1003d79357295755c0789bb44f16191a7bfcc9505703f99a3e60fe1a3c0936
Instruction ID: dd93a61fb3cb19723b7bd92c4542ead43ad6f68d904abca391d1dfb0eeaf9bd8
Opcode Fuzzy Hash: ba1003d79357295755c0789bb44f16191a7bfcc9505703f99a3e60fe1a3c0936
Instruction Fuzzy Hash: 0AB15774A00B4ADBDB14CFA9C4807EAB7F2FF48310F14C51AE8A9D7250DB70AA51DB54

Function 001A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A00D6
__allrem.LIBCMT ref: 001A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A010B
__allrem.LIBCMT ref: 001A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A0140

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ed0f818a7eb7ace303a13b8604445a64100d64655ef190365d21577ca3f9a02
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C981297AA00706AFEB259F78CC81BAB73E8AF56364F25413EF511D7281E770D9418B90

Function 001A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001982D9,001982D9,?,?,?,001A644F,00000001,00000001,8BE85006), ref: 001A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001A644F,00000001,00000001,8BE85006,?,?,?), ref: 001A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001A63D8
__freea.LIBCMT ref: 001A63E5

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

__freea.LIBCMT ref: 001A63EE
__freea.LIBCMT ref: 001A6413

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4d8c489e9455caf975fd49b563c2c3ad17bc93470e26880ab406f476a6d51a55
Instruction ID: b1ef66a5d694b8c6d7ce361263cc32e7be0d75a458eda6cc87cee635af8243ab
Opcode Fuzzy Hash: 4d8c489e9455caf975fd49b563c2c3ad17bc93470e26880ab406f476a6d51a55
Instruction Fuzzy Hash: 6251D0B6A00216AFDF258F64DC81FAF77AAEF56710F194629FC09D6180EB34DC45C6A0

Function 001FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FBD25
RegCloseKey.ADVAPI32(00000000), ref: 001FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FBDF3
RegCloseKey.ADVAPI32(?), ref: 001FBDFF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f191feeb6bbfdbadabfb235f7e91656ab022f1ff7cc7fc5be6d78348d2f80b7e
Instruction ID: 6d284029a8e13ce5a628f92366f0c980c9fa7ea03f062545eb9ee9ed2cd6051b
Opcode Fuzzy Hash: f191feeb6bbfdbadabfb235f7e91656ab022f1ff7cc7fc5be6d78348d2f80b7e
Instruction Fuzzy Hash: B0817970208245AFD714DF64C885E2ABBF5FF84348F14895CF6598B2A2DB32ED45CB92

Function 001CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001CF7B9
SysAllocString.OLEAUT32(00000001), ref: 001CF860
VariantCopy.OLEAUT32(001CFA64,00000000), ref: 001CF889
VariantClear.OLEAUT32(001CFA64), ref: 001CF8AD
VariantCopy.OLEAUT32(001CFA64,00000000), ref: 001CF8B1
VariantClear.OLEAUT32(?), ref: 001CF8BB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 22377deef739da5fd0c5b8493eeb3ac44e2ada12d67b11efd201ab969a1a90f1
Instruction ID: 4038b1eb70d4cc94d9dbe577e07f33080164d2b3a34669020f716aba7d3991de
Opcode Fuzzy Hash: 22377deef739da5fd0c5b8493eeb3ac44e2ada12d67b11efd201ab969a1a90f1
Instruction Fuzzy Hash: AB51C335600310ABCF14AB65D896F29B3A6AF65314B20946EF906DF292DB70CC46CB57

Function 001E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001E94E5
_wcslen.LIBCMT ref: 001E9506
_wcslen.LIBCMT ref: 001E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001E9585

Strings

X, xrefs: 001E9412

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4a79a6615b895d22741bc206457076ebbabfd512746775b615401604b705c88e
Instruction ID: df87ed8c8395d93b93483e6e00f2c24f02cc08e86f01a5ffc31befd7f8d4435c
Opcode Fuzzy Hash: 4a79a6615b895d22741bc206457076ebbabfd512746775b615401604b705c88e
Instruction Fuzzy Hash: 39E1BF315087809FD724EF25C881A6EB7F0BF95314F14896DF8999B2A2DB31ED05CB92

Function 0018920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

BeginPaint.USER32(?,?,?), ref: 00189241
GetWindowRect.USER32(?,?), ref: 001892A5
ScreenToClient.USER32(?,?), ref: 001892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001892D3
EndPaint.USER32(?,?,?,?,?), ref: 00189321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001C71EA

Part of subcall function 00189339: BeginPath.GDI32(00000000), ref: 00189357

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 579fcf9e746d93b2042b8693d941385b982a1e63dfe8d4df5b7474d20c4d310f
Instruction ID: 81772d2d2fba54dbe784f277a117db07384cc83c6d72600b2d30f1b5d06f2535
Opcode Fuzzy Hash: 579fcf9e746d93b2042b8693d941385b982a1e63dfe8d4df5b7474d20c4d310f
Instruction Fuzzy Hash: 7F41AC70104300AFD721EF24E888FBA7BB8EF56720F180629F9A4872E2C7719945DF61

Function 001E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001E0847
EnterCriticalSection.KERNEL32(?), ref: 001E0863
LeaveCriticalSection.KERNEL32(?), ref: 001E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001E0921

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2a7a6a6d2a01c6cc828f8eb91a7e3658f63b0145791afcfca8cdb1fc585681de
Instruction ID: 1fdb2dad87307bf54051f90f4701f0d2a4ac053c8db6f7592f2a2c193c510fc6
Opcode Fuzzy Hash: 2a7a6a6d2a01c6cc828f8eb91a7e3658f63b0145791afcfca8cdb1fc585681de
Instruction Fuzzy Hash: 66416871900205EFDF15AF54EC85AAAB7B8FF48300F1440A9ED049A297DB70DEA5DBA0

Function 002081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001CF3AB,00000000,?,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 0020824C
EnableWindow.USER32(?,00000000), ref: 00208272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002082D1
ShowWindow.USER32(?,00000004), ref: 002082E5
EnableWindow.USER32(?,00000001), ref: 0020830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0020832F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9ca55f8f00ce2b60867b8b5c09d3f4082985fe48b6b71376e8d61b2c1ef0f40d
Instruction ID: f28161655317d821c90acce6a47a9c7888bb8820ef1ba93a9a795537cc67530e
Opcode Fuzzy Hash: 9ca55f8f00ce2b60867b8b5c09d3f4082985fe48b6b71376e8d61b2c1ef0f40d
Instruction Fuzzy Hash: 14418434601745AFDF25CF15D89DBA57BE0BB4A714F1842A9E9484F2F3CB31A861CB50

Function 001D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001D4CEA
_wcslen.LIBCMT ref: 001D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001D4D10
_wcsstr.LIBVCRUNTIME ref: 001D4D1A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 14b2c031d42c5f60f924a7a7feac610261c2f19988e69eba31a390ad93555c36
Instruction ID: 27a236f209721c90285862aca2d256e49e1e3413dd82742b1f7b9194e8f8694d
Opcode Fuzzy Hash: 14b2c031d42c5f60f924a7a7feac610261c2f19988e69eba31a390ad93555c36
Instruction Fuzzy Hash: F0212672204200BBEB295B79EC49E7B7B9DDF95750F10812EF809CA292EF71CD4187A0

Function 001E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

_wcslen.LIBCMT ref: 001E587B
CoInitialize.OLE32(00000000), ref: 001E5995
CoCreateInstance.OLE32(0020FCF8,00000000,00000001,0020FB68,?), ref: 001E59AE
CoUninitialize.OLE32 ref: 001E59CC

Strings

.lnk, xrefs: 001E5876, 001E58C1, 001E5985

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: eed2ab0f194eb289ef5e92920a2f8e52380d119d25751f0a2fff3cca8bb6331f
Instruction ID: ff3a1979db346eb29a6ee15c0eb47c387493b581596c700a506b22cc44187ed9
Opcode Fuzzy Hash: eed2ab0f194eb289ef5e92920a2f8e52380d119d25751f0a2fff3cca8bb6331f
Instruction Fuzzy Hash: 39D15370604B019FC714DF26C48496EBBF2EF99718F14885DF8899B262D731ED45CB92

Function 001D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D0FCA
Part of subcall function 001D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D0FD6
Part of subcall function 001D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D0FE5
Part of subcall function 001D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D0FEC
Part of subcall function 001D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D1002

GetLengthSid.ADVAPI32(?,00000000,001D1335), ref: 001D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001D17BA
HeapAlloc.KERNEL32(00000000), ref: 001D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001D17DA
GetProcessHeap.KERNEL32(00000000,00000000,001D1335), ref: 001D17EE
HeapFree.KERNEL32(00000000), ref: 001D17F5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 605b58ac9bc4c2b4e3889ce4fc802e9f835cb6d7f1c9a6078372980ca84bd7a7
Instruction ID: c6de7b2e42d04cc36a0f60ddf33534420398586ce1ea892e8b190544545a5fa8
Opcode Fuzzy Hash: 605b58ac9bc4c2b4e3889ce4fc802e9f835cb6d7f1c9a6078372980ca84bd7a7
Instruction Fuzzy Hash: D711BE72600205FFDB109FA4DC49BAFBBB9FB45355F20422AF44597221C735A940CB60

Function 001D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001D1515
CloseHandle.KERNEL32(00000004), ref: 001D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001D1563

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bab024b6aa76a32528a311262f9226d16bcb6db35f46175203c6dff9619fa879
Instruction ID: 385aa66fb56972fcec9f2918bc0b49405cf3f75157c9580ab8563c1ffc1800bf
Opcode Fuzzy Hash: bab024b6aa76a32528a311262f9226d16bcb6db35f46175203c6dff9619fa879
Instruction Fuzzy Hash: 561167B250420DBBDF119FA8ED49FDE7BA9EF49704F148125FA05A21A0C376CE60DB60

Function 00193382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00193379,00192FE5), ref: 00193390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0019339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001933B7
SetLastError.KERNEL32(00000000,?,00193379,00192FE5), ref: 00193409

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 35829653a7d3bddb252fdcbf4f9d2c367ebf5c1f72848ed42571c1603c655c5a
Instruction ID: 6d7e691b71490f92b033e05a05577ceaa5dd0ebcd5eb7af1d245efe1462ca8f3
Opcode Fuzzy Hash: 35829653a7d3bddb252fdcbf4f9d2c367ebf5c1f72848ed42571c1603c655c5a
Instruction Fuzzy Hash: 3801DF3266D311BFEF2927B57D89A672AA4EB257797300329F830912F1EF114F025654

Function 001A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001A5686,001B3CD6,?,00000000,?,001A5B6A,?,?,?,?,?,0019E6D1,?,00238A48), ref: 001A2D78
_free.LIBCMT ref: 001A2DAB
_free.LIBCMT ref: 001A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0019E6D1,?,00238A48,00000010,00174F4A,?,?,00000000,001B3CD6), ref: 001A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0019E6D1,?,00238A48,00000010,00174F4A,?,?,00000000,001B3CD6), ref: 001A2DEC
_abort.LIBCMT ref: 001A2DF2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fcb79b358b60a00d91f949699893763f7581d0449ed1535da2b5161ea612ba57
Instruction ID: a206bd179b7b03833c716b7e24936e6059a8133b12eb8ef74df3f6467ae15484
Opcode Fuzzy Hash: fcb79b358b60a00d91f949699893763f7581d0449ed1535da2b5161ea612ba57
Instruction Fuzzy Hash: 3CF0C87D5056006BC22227BDBC0AF2B265AAFD37B1F350519F828D31D7EF3488025261

Function 00208A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00189639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896A2
Part of subcall function 00189639: BeginPath.GDI32(?), ref: 001896B9
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00208A4E
LineTo.GDI32(?,00000003,00000000), ref: 00208A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00208A70
LineTo.GDI32(?,00000000,00000003), ref: 00208A80
EndPath.GDI32(?), ref: 00208A90
StrokePath.GDI32(?), ref: 00208AA0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c7ca4eb3ea44383660ecc89ac0a42112e9d9370bbcdcdaefa56fc709a7aa9b48
Instruction ID: 52467a45c7e4016b1e9df27681e83caae43959fa8f1be4a72c093effe041a43b
Opcode Fuzzy Hash: c7ca4eb3ea44383660ecc89ac0a42112e9d9370bbcdcdaefa56fc709a7aa9b48
Instruction Fuzzy Hash: 45111EB600024DFFEF119F90EC88EAA7F6DEB04350F148111FA19951A1C7719D55DFA0

Function 001D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D5230
ReleaseDC.USER32(00000000,00000000), ref: 001D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001D5261

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e6962d204832bb77a5dba59e598bd2c18a6d0ba70c162b2e110c28e270c3b057
Instruction ID: 419c6aa9ce3e97b29ad8d954a5bd0a381bfeae5bda109f22aa14dc312c0ee413
Opcode Fuzzy Hash: e6962d204832bb77a5dba59e598bd2c18a6d0ba70c162b2e110c28e270c3b057
Instruction Fuzzy Hash: A6018FB5A00708BBEB109BA59C49F4EBFB9EB58751F144166FA04A7281D6709804CBA0

Function 00171BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00171BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00171BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00171C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00171C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00171C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00171C22

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cec40cef614fd2d822a71f30893fa2c586ed7cbab612551ec9c94c3199a8d29e
Instruction ID: 0fa7cbcd10a937b749345293cc7eb401518ea9672fd79ab498ebaff1a23a0eaf
Opcode Fuzzy Hash: cec40cef614fd2d822a71f30893fa2c586ed7cbab612551ec9c94c3199a8d29e
Instruction Fuzzy Hash: 2A016CB09027597DE3008F5A8C85B52FFA8FF59354F00411B915C47942C7F5A864CBE5

Function 001DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB75

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1860760ecef667ed24707e93314c60c98afc2df7d3d33d4eef1fa85147af639a
Instruction ID: 6a5d92ca12229199dac031f4ac1153c81cdfd4f0ab91f3a64b2cbe6004059bad
Opcode Fuzzy Hash: 1860760ecef667ed24707e93314c60c98afc2df7d3d33d4eef1fa85147af639a
Instruction Fuzzy Hash: 3AF054B2140258BBE7316B52EC0DEEF7E7CEFCAB11F104259F601D1192D7A15A01C6B5

Function 001C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001C7469
GetWindowDC.USER32(?), ref: 001C7475
GetPixel.GDI32(00000000,?,?), ref: 001C7484
ReleaseDC.USER32(?,00000000), ref: 001C7496
GetSysColor.USER32(00000005), ref: 001C74B0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: adc77d7886a517bdded66f67e02f244b832d7aa07b12953bc1d0d148d1a1b88c
Instruction ID: 6e49135ae7c688160aa3f8b929647aa7e59366a00119c28ea23879051577997e
Opcode Fuzzy Hash: adc77d7886a517bdded66f67e02f244b832d7aa07b12953bc1d0d148d1a1b88c
Instruction Fuzzy Hash: F2018B71400205EFDB245F64EC0CFAA7FB9FB04321F610264FA15A21E2CB311E51AF10

Function 001D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D187F
UnloadUserProfile.USERENV(?,?), ref: 001D188B
CloseHandle.KERNEL32(?), ref: 001D1894
CloseHandle.KERNEL32(?), ref: 001D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001D18A5
HeapFree.KERNEL32(00000000), ref: 001D18AC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 738510df06a826285d2e2f458165425e2dc521d75e2f1f2354fb6e02a329503c
Instruction ID: 44fff6088ad8aa84e6b11e7ca6bf62510f22556a442ba014c617a70f7ebc0dec
Opcode Fuzzy Hash: 738510df06a826285d2e2f458165425e2dc521d75e2f1f2354fb6e02a329503c
Instruction Fuzzy Hash: D3E075B6104605BBDB016FA5FD0C94AFF79FF49B22B608725F229814B2CB329461DF90

Function 0017BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0017BEB3

Strings

D%$, xrefs: 0017BCA2
D%$, xrefs: 0017BE9A
D%$, xrefs: 0017BDED, 0017BD91, 0017BD1B
D%$D%$, xrefs: 0017BCA5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%$$D%$$D%$$D%$D%$
API String ID: 1385522511-512792284
Opcode ID: 39ba8c707c93c60312a2d8c1a938b1cbf42bbf08477ef99b1ec5863918f63547
Instruction ID: 5df187be193021547343e73a3e470d86b3fb04bda4406150f4d0552f2816464a
Opcode Fuzzy Hash: 39ba8c707c93c60312a2d8c1a938b1cbf42bbf08477ef99b1ec5863918f63547
Instruction Fuzzy Hash: 8C914B75A0820ACFCB18CF99C0D06AAB7F1FF59314F65C169E949AB351D731E981CB90

Function 001DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DC6EE
_wcslen.LIBCMT ref: 001DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001DC7CA

Strings

0, xrefs: 001DC6AF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ea66c509153e04d3c8e926b8a1e2706d8beb140b8f525e2574156fb6cc3e351a
Instruction ID: 14c4a4a0f071960fb7c7c59f1af50ea78fad3c97d1b5063209f36388c1b65a28
Opcode Fuzzy Hash: ea66c509153e04d3c8e926b8a1e2706d8beb140b8f525e2574156fb6cc3e351a
Instruction Fuzzy Hash: 9051AD726143029BD7149F28C885B6BB7E8AF99314F040E2EF995D23E1DB70D944CF92

Function 001FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001FAEA3

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

GetProcessId.KERNEL32(00000000), ref: 001FAF38
CloseHandle.KERNEL32(00000000), ref: 001FAF67

Strings

<, xrefs: 001FAE6B
@, xrefs: 001FAE72

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: dfc2d3762b9e1394e5af7fbc804a5f8699fa7f06ff22904dbd2f4f758f849cc3
Instruction ID: 93759b5c381aa90ebdeddc1e1b402e0bfb426f0f07821404d1bcc7ee1b29bed2
Opcode Fuzzy Hash: dfc2d3762b9e1394e5af7fbc804a5f8699fa7f06ff22904dbd2f4f758f849cc3
Instruction Fuzzy Hash: 79719DB0A00619DFCB14DF64D494AAEBBF0FF08314F548499E91AAB392C774ED45CB91

Function 001D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001D72CF

Strings

DllGetClassObject, xrefs: 001D7242

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 988abeeb6be08cc69256a4fc1c80641d71ed6977ede1541ee5372bfb842be682
Instruction ID: b115d1ff99f1cf32e5174bd3a0c60e36f24ca30a9fd9301bc9e6fa0171f059a0
Opcode Fuzzy Hash: 988abeeb6be08cc69256a4fc1c80641d71ed6977ede1541ee5372bfb842be682
Instruction Fuzzy Hash: 104162B1604204EFDB15CF54C884A9A7BB9EF44310F2580AEBD059F38AE7B5DD45CBA0

Function 00203D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00203E35
IsMenu.USER32(?), ref: 00203E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00203E92
DrawMenuBar.USER32 ref: 00203EA5

Strings

0, xrefs: 00203D89

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: f53ee79a79dd41d63e8312e36c02797851d8cb886932b5aa5c1a375f584cd670
Instruction ID: 7f0bc25bdf22da8315679b069a5c9baa7b2cf1153f9896fb94ef18635ade758c
Opcode Fuzzy Hash: f53ee79a79dd41d63e8312e36c02797851d8cb886932b5aa5c1a375f584cd670
Instruction Fuzzy Hash: 49414C75A2130AEFDB10DF50D884AAABBB9FF49350F044219E905A7292D730AE64CF50

Function 001D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001D1EA9

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Strings

ComboBox, xrefs: 001D1DF0
ListBox, xrefs: 001D1E25

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7bd80a1e4ed3bdd531ce03fd8f49d235afe4f5d59cbfebf2f22830fe9d210c92
Instruction ID: 3f331feac00b79c85f759aa825e915da30b168927342cd26943f9110e4e6ad66
Opcode Fuzzy Hash: 7bd80a1e4ed3bdd531ce03fd8f49d235afe4f5d59cbfebf2f22830fe9d210c92
Instruction Fuzzy Hash: 7D213B71A00104BEDB19AB64DC46CFFB7BDDF56354B14411AF825A72E1DB344A0A9620

Function 00202F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00202F8D
LoadLibraryW.KERNEL32(?), ref: 00202F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00202FA9
DestroyWindow.USER32(?), ref: 00202FB1

Strings

SysAnimate32, xrefs: 00202F68

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ecd8fcac9e2e2644ae564e03d3dd41827665338a7edb24b8edaf20cb534b8d0b
Instruction ID: 9c1e8d45e3f3b0a90b6b2795cc652c81fb1ea7b7a9859bff1a3cd803b67e2a30
Opcode Fuzzy Hash: ecd8fcac9e2e2644ae564e03d3dd41827665338a7edb24b8edaf20cb534b8d0b
Instruction Fuzzy Hash: CA21BE71220307EBEB114F649C8CEBB77BDEB593A4F20021AF910924D2C771DC659760

Function 00194D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00194D1E,001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002), ref: 00194D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00194DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00194D1E,001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000), ref: 00194DC3

Strings

mscoree.dll, xrefs: 00194D86
CorExitProcess, xrefs: 00194D98

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: db9ed0a44dc5bb1823e7676e592290227befbfed367f887e45dbd51dea988e9c
Instruction ID: 491d1a58c038f2c62e5af7c6bc53f1c1c6622a4beac5f7b78250ecc7eb545861
Opcode Fuzzy Hash: db9ed0a44dc5bb1823e7676e592290227befbfed367f887e45dbd51dea988e9c
Instruction Fuzzy Hash: 49F0AF34A00308BBDB159F90EC4DBEDBBF4EF14712F1001A4F809A22A1DB705A81CB90

Function 001CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 001CD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001CD3BF
FreeLibrary.KERNEL32(00000000), ref: 001CD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 001CD3B9
X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ff9f59bdcd40c97c4bf6b3f86150af4e17d1fee1899a601e1c57e494a5c125c6
Instruction ID: 1947794a5bb9aadfc985b9155e01bd339b509b5e1491cdbde746edb008b3e153
Opcode Fuzzy Hash: ff9f59bdcd40c97c4bf6b3f86150af4e17d1fee1899a601e1c57e494a5c125c6
Instruction Fuzzy Hash: 24F05CF18167609BC73917107C58F1AB714AF31701F7652BDF40AE1086CB20CD408B92

Function 00174E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00174EAE
FreeLibrary.KERNEL32(00000000,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EC0

Strings

kernel32.dll, xrefs: 00174E94
Wow64DisableWow64FsRedirection, xrefs: 00174EA8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1c9f536cc8a49b0c3ff47ba34f2ff043520e2454e39baafe6d99336bb495c36c
Instruction ID: fab88944054f157180b0b5c8f72aeb709cff5b8dcdd4831bbd72a9bff2e4e066
Opcode Fuzzy Hash: 1c9f536cc8a49b0c3ff47ba34f2ff043520e2454e39baafe6d99336bb495c36c
Instruction Fuzzy Hash: 97E086B6A017225BD22117257C1CA6BA564AF82B72B154215FC08D2142DF68CD0180B4

Function 00174E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00174E74
FreeLibrary.KERNEL32(00000000,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E87

Strings

kernel32.dll, xrefs: 00174E5B
Wow64RevertWow64FsRedirection, xrefs: 00174E6E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 59e5c0574e138e8e0f4be9ae6aa06dc40464d0d0ad2729eb5e840c5f63b9fcf3
Instruction ID: 223870cf0058988980583aa3501197b951c082540929de84d8fffb5f05779d5c
Opcode Fuzzy Hash: 59e5c0574e138e8e0f4be9ae6aa06dc40464d0d0ad2729eb5e840c5f63b9fcf3
Instruction Fuzzy Hash: 4AD0C27254272157E6221B247C0CD8BAA2CEF86B213154310B80CE2152CF68CE0182E0

Function 001E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2C05
DeleteFileW.KERNEL32(?), ref: 001E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2CC0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cfb947c9039f4ed4a570d593ef64cc4df9eadcf5191d0d21fae437c329698e80
Instruction ID: 755e34c147926aacea587fa41d4b345523def305c3540e686eb247fc5fbf8716
Opcode Fuzzy Hash: cfb947c9039f4ed4a570d593ef64cc4df9eadcf5191d0d21fae437c329698e80
Instruction Fuzzy Hash: 82B16DB2D00519ABDF25EBA5CC95EDEB7BDEF58340F1040A6FA09E7141EB309A448F61

Function 001FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001FA468
CloseHandle.KERNEL32(?), ref: 001FA63D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 3826de4e72dc0882f04fb702b08fe20bb927c0579cde9131eb9cee2878384856
Instruction ID: db4ef4cacddd920a8c275b32243aa020153caae7a5bb721324694f12d869d4d9
Opcode Fuzzy Hash: 3826de4e72dc0882f04fb702b08fe20bb927c0579cde9131eb9cee2878384856
Instruction Fuzzy Hash: 0BA1B0B16043009FD720DF28D886F2AB7E5AF98714F54885CFA5A9B392D774ED418B82

Function 001ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00213700), ref: 001ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0024121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00241270,000000FF,?,0000003F,00000000,?), ref: 001ABC36
_free.LIBCMT ref: 001ABB7F

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001ABD4B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9a566af5b74d2085a966ecb3e9da5d2746b72cbbbb47a4fa6a7610eb0d75ce31
Instruction ID: c8dec4de08db1209a2df12357a7e3ad8b8b36283446683f8179f77f1df832962
Opcode Fuzzy Hash: 9a566af5b74d2085a966ecb3e9da5d2746b72cbbbb47a4fa6a7610eb0d75ce31
Instruction Fuzzy Hash: 79510879908259AFCB14EF75ACC59AEB7B8FF53320B10026AE414D7197EB709E908B50

Function 001DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001DCF22,?), ref: 001DDDFD

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001DCF22,?), ref: 001DDE16

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

lstrcmpiW.KERNEL32(?,?), ref: 001DE473
MoveFileW.KERNEL32(?,?), ref: 001DE4AC
_wcslen.LIBCMT ref: 001DE5EB
_wcslen.LIBCMT ref: 001DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001DE650

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2594e69051f2a575a73757d3b9aea47db2029ef1e410f3330686d52db5ea703f
Instruction ID: 732c6807211f241c8838ef22ce9f2ed784369fac43fbdb31bf92063283c3e323
Opcode Fuzzy Hash: 2594e69051f2a575a73757d3b9aea47db2029ef1e410f3330686d52db5ea703f
Instruction Fuzzy Hash: 0E5160B24087859BCB24EB94DC819DFB3ECAF94341F00491FF589D7291EF74A6888766

Function 001FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001FBB63
RegCloseKey.ADVAPI32(?,?), ref: 001FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001FBBB3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fd51491637660f01c45d6b5e2734ac7572f71b29e8d90ee180121bba50ceb0d9
Instruction ID: 15e56a1cad4c3977ee80a5866c3a7c664a4fcfaae340fa11e2c35fba0615658c
Opcode Fuzzy Hash: fd51491637660f01c45d6b5e2734ac7572f71b29e8d90ee180121bba50ceb0d9
Instruction Fuzzy Hash: AA617B71208245AFD714DF14C8D1E2ABBE5FF84308F54899CF59A8B2A2DB31ED45CB92

Function 001D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D8BCD
VariantClear.OLEAUT32 ref: 001D8C3E
VariantClear.OLEAUT32 ref: 001D8C9D
VariantClear.OLEAUT32(?), ref: 001D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001D8D3B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1688480a8ade3d9f2222703655439fa91d2e5af70d7579112c6b1f55a8eb130c
Instruction ID: cf85b0f9811c027f15372921159a1ee56c4fc12a88738585fe12c2838660397b
Opcode Fuzzy Hash: 1688480a8ade3d9f2222703655439fa91d2e5af70d7579112c6b1f55a8eb130c
Instruction Fuzzy Hash: A9516AB5A00619EFCB14CF68D894AAAB7F9FF89310B15856AF905DB350E730E911CF90

Function 001E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001E8C5F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 201b1e7ff3dd9260e04bfe494c42a1f01ae268cadfff1918fe483df2ffb3b35b
Instruction ID: cb0e36faf42541af961a959b050a343e285d2055b5b0dc43d9d9c680a6b4467e
Opcode Fuzzy Hash: 201b1e7ff3dd9260e04bfe494c42a1f01ae268cadfff1918fe483df2ffb3b35b
Instruction Fuzzy Hash: 89514935A006189FCB05DF65C881AADBBF5FF49314F18C058E849AB3A2CB31ED51CB90

Function 001F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001F9032
FreeLibrary.KERNEL32(00000000), ref: 001F9052

Part of subcall function 0018F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001E1043,?,75C0E610), ref: 0018F6E6
Part of subcall function 0018F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001CFA64,00000000,00000000,?,?,001E1043,?,75C0E610,?,001CFA64), ref: 0018F70D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3deb76ee1d2d8ee04b85b5706f7ab7ad9d78ade548e1165cc19ed6d0e84bcc42
Instruction ID: 0b965c802fa30f0be92df58a30b010719886b8b721e77ee416dfc0d8c4576991
Opcode Fuzzy Hash: 3deb76ee1d2d8ee04b85b5706f7ab7ad9d78ade548e1165cc19ed6d0e84bcc42
Instruction Fuzzy Hash: 5E515A34604209DFC715EF58C484DADBBF1FF59314B1981A8E90A9B362DB31ED86CB91

Function 00206B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00206C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00206C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00206C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001EAB79,00000000,00000000), ref: 00206C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00206CC7

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 825d5acdb52a5f27ae61855ace0b66632ef46aaf011af3b94f5b3d045a0c0367
Instruction ID: f4c06a5da7eff2f3bc77134aa09421023719dd78f22533b4e5da2b9a6958648a
Opcode Fuzzy Hash: 825d5acdb52a5f27ae61855ace0b66632ef46aaf011af3b94f5b3d045a0c0367
Instruction Fuzzy Hash: 2B41D775624305AFE724CF28CC5CFA97BA9EB09360F140229F895A72E2C771ED71CA40

Function 001A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001A20C3
_free.LIBCMT ref: 001A20E3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 894ca64c1a8fb4a3add6864856b5a4772e5df854cc3711ff4fe8e8180b4d7d86
Instruction ID: 43700c362a8e0f442f8ce7f67d34a88b1977e377d7a72f16f5c035cdbceba2ca
Opcode Fuzzy Hash: 894ca64c1a8fb4a3add6864856b5a4772e5df854cc3711ff4fe8e8180b4d7d86
Instruction Fuzzy Hash: E441D37AA002009FCB24DF7CC981A5EB7F5EF9A714F254569E515EB352D731AD01CB80

Function 0018912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00189141
ScreenToClient.USER32(00000000,?), ref: 0018915E
GetAsyncKeyState.USER32(00000001), ref: 00189183
GetAsyncKeyState.USER32(00000002), ref: 0018919D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6bf9756eeb9874f2f9adad6508a23f04e62f8403fb1b88349281a1cbbaae1454
Instruction ID: 6cb6e44049075c474657ecd72cd316fad84f99d530bb8d46b77226e0eb319397
Opcode Fuzzy Hash: 6bf9756eeb9874f2f9adad6508a23f04e62f8403fb1b88349281a1cbbaae1454
Instruction Fuzzy Hash: 32415F71A0860AFBDF19AF64C848BFEB774FB15324F24421AE425A32D1C7709A54CF51

Function 001E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001E3922
TranslateMessage.USER32(?), ref: 001E394B
DispatchMessageW.USER32(?), ref: 001E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E3966

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cdbbf50527dfa202481a4d782fcad60062cd67afaafb922f3196463dcb077341
Instruction ID: 3012ce5b4ba70e119e504a2a188965995ad2048ee22efd34e96e0747ae6de3c7
Opcode Fuzzy Hash: cdbbf50527dfa202481a4d782fcad60062cd67afaafb922f3196463dcb077341
Instruction Fuzzy Hash: A131D974504BC19EEB39CB36EC4CFBA3BA8AB16308F540559E472931A2D3B49685CB21

Function 001ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001EC21E,00000000), ref: 001ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFF2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e69e92e76b2fa48cf196a72954cf62eccd9432b277c61bb85b48ddfd6f61c88f
Instruction ID: 4f37e0d58dea45d2c5ff1d73b899f1bac2eb30dba63e1eafb1adb25faeb81a66
Opcode Fuzzy Hash: e69e92e76b2fa48cf196a72954cf62eccd9432b277c61bb85b48ddfd6f61c88f
Instruction Fuzzy Hash: 4E317FB1500B45EFDB24DFA6DC84AAFBBF9EF14311B10452EF506D2111D730AE429BA0

Function 001D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001D19E2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7d3879b19035d915aaf898245ce382d857bda0ed945ffefd123ce9138eddd6bf
Instruction ID: af4796eb0f5f8051c1b0dceba3fdbb45b2bb6ad598996c293a5be72c7650db4b
Opcode Fuzzy Hash: 7d3879b19035d915aaf898245ce382d857bda0ed945ffefd123ce9138eddd6bf
Instruction Fuzzy Hash: 55318F72900219FFCB18CFA8D9A9ADE7BB5EB44319F104326F925A72D1C7709954CB90

Function 00205706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00205745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0020579D
_wcslen.LIBCMT ref: 002057AF
_wcslen.LIBCMT ref: 002057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00205816

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 38a5964d0839b59fb45b3dc4d2cf8e46db57a2bf9a565d3e5861b82d0fa0c8a6
Instruction ID: e82ac8fded7e2d7c22f22e09eb20ef0e1f8ed48b3733aba16fc739bad73fcef3
Opcode Fuzzy Hash: 38a5964d0839b59fb45b3dc4d2cf8e46db57a2bf9a565d3e5861b82d0fa0c8a6
Instruction Fuzzy Hash: 8821A575924729AADF208F60DC84AEEB7BCFF44724F108216F919EA1D2D7B08995CF50

Function 001F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001F0951
GetForegroundWindow.USER32 ref: 001F0968
GetDC.USER32(00000000), ref: 001F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001F09B0
ReleaseDC.USER32(00000000,00000003), ref: 001F09E8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3a1d766aaea50812f0edc11db3a404767b8e6e84fa98048d82af809bd8db250e
Instruction ID: fc3abced1c927a3f46ba8d678b57d5861adfd65619a1cab5a841ef22055f7afd
Opcode Fuzzy Hash: 3a1d766aaea50812f0edc11db3a404767b8e6e84fa98048d82af809bd8db250e
Instruction Fuzzy Hash: C4216F75600204AFD714EF65D889AAEBBF9FF58704F148168F94A97362DB70AC04CB50

Function 001ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001ACDE9

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001ACE0F
_free.LIBCMT ref: 001ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001ACE31

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 798b454f87b7e52ef46ce4d4977192550e7d876bf91bd2d1a59b801e453ed50c
Instruction ID: d3ec915c6d7518b99539f949da7e6bd272910a38644868045c97366f736cffac
Opcode Fuzzy Hash: 798b454f87b7e52ef46ce4d4977192550e7d876bf91bd2d1a59b801e453ed50c
Instruction Fuzzy Hash: 740184BA6013157F672117BA6C8CD7BAD6DDEC7BA13250229F905D7201EB718D0181F0

Function 00189639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
SelectObject.GDI32(?,00000000), ref: 001896A2
BeginPath.GDI32(?), ref: 001896B9
SelectObject.GDI32(?,00000000), ref: 001896E2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 329cff5ceaf5cc3eadd2f6f55bb2169f027e5d07da225594347588a0c0f2fe88
Instruction ID: 1ef52101c3d945e352ffe81505a1e7b5a99d4fcfe164a7a2969aec8a477741ea
Opcode Fuzzy Hash: 329cff5ceaf5cc3eadd2f6f55bb2169f027e5d07da225594347588a0c0f2fe88
Instruction Fuzzy Hash: 75218E74802345EFDB11AF64FC0CBB97BA9BB12725F340216F424A61B1E3709AA1CF90

Function 001D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001D5726
_memcmp.LIBVCRUNTIME ref: 001D5744
_memcmp.LIBVCRUNTIME ref: 001D5757
_memcmp.LIBVCRUNTIME ref: 001D576F
_memcmp.LIBVCRUNTIME ref: 001D5787

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5892c944cd209b3323653becf88b39031b8e71de3345934efeb6dd21112b93c7
Instruction ID: bb8a8f54ec190e54c1f28be7bc8a82acd7bc9a456f1eef8efd96ccd6ef8a9fae
Opcode Fuzzy Hash: 5892c944cd209b3323653becf88b39031b8e71de3345934efeb6dd21112b93c7
Instruction Fuzzy Hash: 48019B71681705FBE71855109E43FBA735EAB32364B504022FD145A782F761ED5086A0

Function 001A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0019F2DE,001A3863,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6), ref: 001A2DFD
_free.LIBCMT ref: 001A2E32
_free.LIBCMT ref: 001A2E59
SetLastError.KERNEL32(00000000,00171129), ref: 001A2E66
SetLastError.KERNEL32(00000000,00171129), ref: 001A2E6F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f271b16c63c8042028fb4c03cb949ff7ab0fcd87a20f44106d3ffe9ad960bdc3
Instruction ID: da50d59c88ed406db4baa3e7f580bb0dd12ce711584e0f450f94340be77bb022
Opcode Fuzzy Hash: f271b16c63c8042028fb4c03cb949ff7ab0fcd87a20f44106d3ffe9ad960bdc3
Instruction Fuzzy Hash: 6001F47E2056006BC626673D7C8AE2B2659ABE37B5B310129F425E2293EB70CC815120

Function 001D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?,?,001D035E), ref: 001D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?), ref: 001D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0070

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 536366675e806ce1e734da4db604c83e68cc4e6fde6ef467febefe3e8d722ec9
Instruction ID: f85c77e49a51c4081da5a13b2b21f40d2e791b92cf58f832208f272f5fe3c803
Opcode Fuzzy Hash: 536366675e806ce1e734da4db604c83e68cc4e6fde6ef467febefe3e8d722ec9
Instruction Fuzzy Hash: 8F01A2B2600304BFDB124F68EC48BAA7AEDEF88792F248225F905D2311D771DD408BA0

Function 001DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001DE9A5
Sleep.KERNEL32(00000000), ref: 001DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001DE9B7
Sleep.KERNEL32 ref: 001DE9F3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 68fd3141b48a9f8e658473d283187ed07e475475827082a09b59ca2c25ab09e9
Instruction ID: ef201ad838cfbf30bfc160b79162a79d193c15077318ebe6eed1b9fe04d77190
Opcode Fuzzy Hash: 68fd3141b48a9f8e658473d283187ed07e475475827082a09b59ca2c25ab09e9
Instruction Fuzzy Hash: B1015E71C02629DBCF04AFE4E86D6EDBBB8BB08305F110656E501B6241CB30555487A1

Function 001D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 155b4b75780201643746ab3a08a156a78054c58bb70839a9763252ca5fa7d2ac
Instruction ID: cd9374658278272204145603e6f0c55f7b82f1aec0f64b6ec1648c611b4f78ba
Opcode Fuzzy Hash: 155b4b75780201643746ab3a08a156a78054c58bb70839a9763252ca5fa7d2ac
Instruction Fuzzy Hash: FC0119B5200305BFEB114FA5EC4DA6A7B7EEF893A0B244529FA45D7361DB31DC009A60

Function 001D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D1002

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5132c324cad8f6c6607a9c0e96ba1ba3753fe7491847156c9168c2cc0c6b49ac
Instruction ID: 9c4f1cb45723103b25d78cae7843c87c9fbc8c116da60ca28a2d196d73855aac
Opcode Fuzzy Hash: 5132c324cad8f6c6607a9c0e96ba1ba3753fe7491847156c9168c2cc0c6b49ac
Instruction Fuzzy Hash: 87F04F75100311BBD7215FA4AC4DF563B6EEF89761F204515F949C6252CA70DC408A60

Function 001D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1062

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5856ea6562b7a17774536d8f949b2cabbbfa2ed4aaf6e7d44e2bc43f65f9aab7
Instruction ID: 10e99ecf48df94d954f501f11d984a376e8f8ab8ae51d80296e5cd2ba248782e
Opcode Fuzzy Hash: 5856ea6562b7a17774536d8f949b2cabbbfa2ed4aaf6e7d44e2bc43f65f9aab7
Instruction Fuzzy Hash: 6AF049B5200311BBDB216FA4EC4DF563BAEEF89761F200925FA49C6251CA70D840CA60

Function 001E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0324
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0331
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E033E
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E034B
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0358
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0365

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06864dc026a28589bd25e5e07b9f6df09ec317b73748cc18a34afb4a7960d835
Instruction ID: 9a5a32c8ec7d2161a20ae3aa5b46b216bf29dc31d2210fd9c64307a75e287cf5
Opcode Fuzzy Hash: 06864dc026a28589bd25e5e07b9f6df09ec317b73748cc18a34afb4a7960d835
Instruction Fuzzy Hash: E401AE72800F559FCB31AF66D88081AFBF9BF643153158A3FD19652931C3B1A998CF80

Function 001AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001AD752

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001AD764
_free.LIBCMT ref: 001AD776
_free.LIBCMT ref: 001AD788
_free.LIBCMT ref: 001AD79A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7a4288517705ab728f933b9fd8d5a6f5d461c9bccdcc4e3898b5bc4d468dd3f0
Instruction ID: 35b480dbfb48140844abe37887928b6f3462998cebc4f5fc695b586340f697c5
Opcode Fuzzy Hash: 7a4288517705ab728f933b9fd8d5a6f5d461c9bccdcc4e3898b5bc4d468dd3f0
Instruction Fuzzy Hash: 76F0963A504718AFC665EBA8F9C6C2B77DDBB06718BA50C05F049E7911C730FC808761

Function 001D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001D5C6F
MessageBeep.USER32(00000000), ref: 001D5C87
KillTimer.USER32(?,0000040A), ref: 001D5CA3
EndDialog.USER32(?,00000001), ref: 001D5CBD

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9ac6fd742698fb3c380abeb838e2801fd45dbaf4b7efbcd0121b630ed4383b11
Instruction ID: 9df9c09801d843d91ec8d66f3cd15b29a56b8b1a53e547b6ae7f38705e4135cf
Opcode Fuzzy Hash: 9ac6fd742698fb3c380abeb838e2801fd45dbaf4b7efbcd0121b630ed4383b11
Instruction Fuzzy Hash: C101A470510B04ABEB345B10ED4EFA67BBDBF00B45F14066AB583A11E2DBF5AD84CB90

Function 001A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001A22BE

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001A22D0
_free.LIBCMT ref: 001A22E3
_free.LIBCMT ref: 001A22F4
_free.LIBCMT ref: 001A2305

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4b4fc8da910c3df8a91b701aa4fe2d6046d9218466ff4e0340ef873c249bfb75
Instruction ID: 379558d008bed8324a2cf8d62ff391c39e7183e55c600a4e55b09adf0d06baa1
Opcode Fuzzy Hash: 4b4fc8da910c3df8a91b701aa4fe2d6046d9218466ff4e0340ef873c249bfb75
Instruction Fuzzy Hash: 2FF03ABC8002308FC752AF68BC498293B64B72BB61B11051BF914E32B1CB3009A1AFE5

Function 001895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001895D4
StrokeAndFillPath.GDI32(?,?,001C71F7,00000000,?,?,?), ref: 001895F0
SelectObject.GDI32(?,00000000), ref: 00189603
DeleteObject.GDI32 ref: 00189616
StrokePath.GDI32(?), ref: 00189631

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 194bb0aff0e9099329efc971000290b13c65c5956d11d17d9f29f9e68be8d1e4
Instruction ID: 51a1b1e3b11e32fcde21cd75c4211f9e3ee1dbd753b49afa1afc1a407ce5ac2f
Opcode Fuzzy Hash: 194bb0aff0e9099329efc971000290b13c65c5956d11d17d9f29f9e68be8d1e4
Instruction Fuzzy Hash: A4F03738006348EBDB266F69FD1CB743B61AB02722F288314F429550F1D7308AA5DF20

Function 001A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001A10F9
__freea.LIBCMT ref: 001A1117

Part of subcall function 001A1537: _free.LIBCMT ref: 001A154F

Strings

am/pm, xrefs: 001A117A
a/p, xrefs: 001A11DE

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0bfd702a6985a4156dd96875b2066c4f7e10cffce450df620e394e233b5c1fb1
Instruction ID: e894adc5ab1dc1dce51a54a39450a857c4054ad140769b4186a9dbf11a80f9c7
Opcode Fuzzy Hash: 0bfd702a6985a4156dd96875b2066c4f7e10cffce450df620e394e233b5c1fb1
Instruction Fuzzy Hash: AED10F3D900206FACF289F68C995BFAB7B5FF17320F29415AE901AB650D3759D80CB91

Function 001F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00190242: EnterCriticalSection.KERNEL32(0024070C,00241884,?,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019024D
Part of subcall function 00190242: LeaveCriticalSection.KERNEL32(0024070C,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019028A

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

__Init_thread_footer.LIBCMT ref: 001F6238

Part of subcall function 001901F8: EnterCriticalSection.KERNEL32(0024070C,?,?,00188747,00242514), ref: 00190202
Part of subcall function 001901F8: LeaveCriticalSection.KERNEL32(0024070C,?,00188747,00242514), ref: 00190235

Part of subcall function 001E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001E35E4
Part of subcall function 001E359C: LoadStringW.USER32(00242390,?,00000FFF,?), ref: 001E360A

Strings

x#$, xrefs: 001F636F
x#$, xrefs: 001F633A
x#$, xrefs: 001F6353

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#$$x#$$x#$
API String ID: 1072379062-3033266091
Opcode ID: 3d9e8a6559aca268b16e52ce045672799809df7f1f2fef4c64ca40e0e02f958b
Instruction ID: da53a651291ddf624dd6f20e3b7b35c4d254354195917c5e3433cfd9a432772e
Opcode Fuzzy Hash: 3d9e8a6559aca268b16e52ce045672799809df7f1f2fef4c64ca40e0e02f958b
Instruction Fuzzy Hash: B0C18071A00109AFCB14EF98C895EBEB7B9FF59340F148069FA15AB291DB70ED45CB90

Function 001F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00190242: EnterCriticalSection.KERNEL32(0024070C,00241884,?,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019024D
Part of subcall function 00190242: LeaveCriticalSection.KERNEL32(0024070C,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019028A

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

__Init_thread_footer.LIBCMT ref: 001F7BFB

Part of subcall function 001901F8: EnterCriticalSection.KERNEL32(0024070C,?,?,00188747,00242514), ref: 00190202
Part of subcall function 001901F8: LeaveCriticalSection.KERNEL32(0024070C,?,00188747,00242514), ref: 00190235

Strings

G, xrefs: 001F7C7F
Variable must be of type 'Object'., xrefs: 001F7C3A
5, xrefs: 001F7C78

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: cff17bbc7d420f9f83877f0f11443bc1d035d65039f359d1011f0788d02d1a37
Instruction ID: 7845fbdd2d8213600794822faf9a519870ebe5c2cbfc5368aba71c979da472ad
Opcode Fuzzy Hash: cff17bbc7d420f9f83877f0f11443bc1d035d65039f359d1011f0788d02d1a37
Instruction Fuzzy Hash: CD919B70A04209EFCB05EF94D891DBDB7B2FF59300F548059FA069B292DB71AE45CB51

Function 001D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D21D0,?,?,00000034,00000800,?,00000034), ref: 001DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001D2760

Part of subcall function 001DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001DB3F8

Part of subcall function 001DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001DB355
Part of subcall function 001DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001D2194,00000034,?,?,00001004,00000000,00000000), ref: 001DB365
Part of subcall function 001DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001D2194,00000034,?,?,00001004,00000000,00000000), ref: 001DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D281A

Strings

@, xrefs: 001D2832

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9183785e672733e560eaed7b8c1467453e64fd5a0d0379bf70756e5fa7ef4b50
Instruction ID: 7ec09df98a0077bac963a6a4e42ad1ca371c14c6b860c56906d573109a8127ab
Opcode Fuzzy Hash: 9183785e672733e560eaed7b8c1467453e64fd5a0d0379bf70756e5fa7ef4b50
Instruction Fuzzy Hash: F4413C72900218BFDB10DBA4CD85EEEBBB8EF59300F104056FA55B7281DB716E45DBA0

Function 001A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 001A1769
_free.LIBCMT ref: 001A1834
_free.LIBCMT ref: 001A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 001A1760, 001A1767, 001A1796, 001A17CE

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: e132086fd1ab14174a7d1536c6d5256401cc3f0c15a1045251361bfb2aa391e9
Instruction ID: 476e6273210456d25d2060d029ef566e62354f587a8a6db2132f20909fab9ee5
Opcode Fuzzy Hash: e132086fd1ab14174a7d1536c6d5256401cc3f0c15a1045251361bfb2aa391e9
Instruction Fuzzy Hash: 7D316E79A44218BFDB21DB999885D9EBBFCEB96310F14416AF905D7211D7B08E80CB90

Function 001DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00241990,017E4C98), ref: 001DC395

Strings

0, xrefs: 001DC2DF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: bdfc3cd3d185d74b460c2eae44ffdfff15ef8be152c2d44485428436a7065eb1
Instruction ID: 0844ea3bca38536ebb474f5496c95625f5ccad0464663e68bd27280e9ef9a375
Opcode Fuzzy Hash: bdfc3cd3d185d74b460c2eae44ffdfff15ef8be152c2d44485428436a7065eb1
Instruction Fuzzy Hash: C641A271204342AFDB24DF29D884B5ABBE4BF95310F148A1EF9A5973D1D770E904CBA2

Function 00204416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0020CC08,00000000,?,?,?,?), ref: 002044AA
GetWindowLongW.USER32 ref: 002044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002044D7

Strings

SysTreeView32, xrefs: 0020447C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: bcdc9a10e065eb04961c380e8e860967a08e35fe8140075fe7c70ac6d7e9892a
Instruction ID: cd176c47808af3e1b016b77b8afac58d52863d541e072d2e4d12f963122a1d4b
Opcode Fuzzy Hash: bcdc9a10e065eb04961c380e8e860967a08e35fe8140075fe7c70ac6d7e9892a
Instruction Fuzzy Hash: 813183B1120706AFDB20AF34DC45BDA7BA9EB55334F208715FA75921D2D770EC609B50

Function 001F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001F3077,?,?), ref: 001F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
_wcslen.LIBCMT ref: 001F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001F3106

Strings

255.255.255.255, xrefs: 001F3095, 001F309A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ed459802898cafc384d9df7090987fb9a1be16b2fed99d21aecb1c193797d95e
Instruction ID: 6d85f1c0e80c27677660ed8fad627401f07d7278bf3a249afdd681db74d83e1b
Opcode Fuzzy Hash: ed459802898cafc384d9df7090987fb9a1be16b2fed99d21aecb1c193797d95e
Instruction Fuzzy Hash: 7731D3756042099FCB20CF28C485EBA77F0EF54318F25C15AEA258B392DB72EE45C761

Function 00203EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00203F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00203F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00203F78

Strings

SysMonthCal32, xrefs: 00203F0B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 56b2274f80cbb007e83534aaf04b6bcb23e385eb9244c2ece293e43a33a54d5b
Instruction ID: 1e739cd9207cfbd5cff5f0c677b114415cc3ad9316750ed36b741ee7438beb13
Opcode Fuzzy Hash: 56b2274f80cbb007e83534aaf04b6bcb23e385eb9244c2ece293e43a33a54d5b
Instruction Fuzzy Hash: D521BF3261021ABBDF25CF50DC4AFEA3B79EF48714F110214FA196B1D1DAB1A860CB90

Function 00204653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00204705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00204713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0020471A

Strings

msctls_updown32, xrefs: 00204684

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6bdb72744cbea2469787da32f7f8ed93dcd2a3fe6707c345e0175557b8ebb983
Instruction ID: 1100baf9efba3e9503d8cdde2346c95cb056f34a6841ce00772f52aa2889a167
Opcode Fuzzy Hash: 6bdb72744cbea2469787da32f7f8ed93dcd2a3fe6707c345e0175557b8ebb983
Instruction Fuzzy Hash: 5E2192F5610209AFDB10EF68DCD5DA777ADEF5A354B004049FA009B2A2CB31EC61CA60

Function 001D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D961D

Strings

#OnAutoItStartRegister, xrefs: 001D95F3
#notrayicon, xrefs: 001D95B7
#requireadmin, xrefs: 001D95D9

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0f2dec859005ebf736a7896e146a72729b4d95520f85bb50b6f93d315fcdd0c0
Instruction ID: a21871c8ed262d8a7ee012a4a53408de1ad33966d9e19b27c02298c3203fa209
Opcode Fuzzy Hash: 0f2dec859005ebf736a7896e146a72729b4d95520f85bb50b6f93d315fcdd0c0
Instruction Fuzzy Hash: F9216D3220461166D731BB28DC02FB773E89F65310F104037F94997282EB55ED52C3D5

Function 002037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00203840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00203850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00203876

Strings

Listbox, xrefs: 0020380F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ecfb6b15162e41e88fe5f2691ec4a7e38479a49caa9e4565ede6eb53671e7df7
Instruction ID: 6f8298afc9877f8bce40a894ee17a388e179a754759fcdade560a089b7b3b223
Opcode Fuzzy Hash: ecfb6b15162e41e88fe5f2691ec4a7e38479a49caa9e4565ede6eb53671e7df7
Instruction Fuzzy Hash: C0218072620219BBEF21CF54DC45EAB776EEF89750F108114F9449B1E1CA71DC628BA0

Function 001E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0020CC08), ref: 001E4AD0

Strings

%lu, xrefs: 001E4A6F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d61241d82f993f3c0591536aae46b2b6cb9a9fffc226a72eb6a2d778d87831b0
Instruction ID: 1c0ad0f489044d9585b89409a32cd06acbcaaac0178b623f16aab016f5aff85f
Opcode Fuzzy Hash: d61241d82f993f3c0591536aae46b2b6cb9a9fffc226a72eb6a2d778d87831b0
Instruction Fuzzy Hash: D0315175A00209AFDB10DF54C885EAEBBF8EF49318F1480A9F909DB252D771EE45CB61

Function 002041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0020424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00204264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00204271

Strings

msctls_trackbar32, xrefs: 00204226

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 183c212d48b50226488bb70435770d5968c8ebfefa9b152a1c27c8feafb1a089
Instruction ID: c8668b13502f4975be88a84ed0c0ed9a6138d494f5182f6eadb0bb87ba808f73
Opcode Fuzzy Hash: 183c212d48b50226488bb70435770d5968c8ebfefa9b152a1c27c8feafb1a089
Instruction Fuzzy Hash: 7D11E3B1350309BEEF206F28CC06FAB7BACEF95B54F114114FA55E20D1D671D8619B10

Function 001D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Part of subcall function 001D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001D2DC5
Part of subcall function 001D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D2DD6
Part of subcall function 001D2DA7: GetCurrentThreadId.KERNEL32 ref: 001D2DDD
Part of subcall function 001D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001D2DE4

GetFocus.USER32 ref: 001D2F78

Part of subcall function 001D2DEE: GetParent.USER32(00000000), ref: 001D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001D2FC3
EnumChildWindows.USER32(?,001D303B), ref: 001D2FEB

Strings

%s%d, xrefs: 001D2FFF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 96d946abb62b1ba3ee92e531705faa447f3463643de6cf7b897167d6289a1476
Instruction ID: c41e3894c546b6e6e4fe6fd0811d82de40ef4dbb9c4450c3e857935166cab559
Opcode Fuzzy Hash: 96d946abb62b1ba3ee92e531705faa447f3463643de6cf7b897167d6289a1476
Instruction Fuzzy Hash: 8911E4B53002056BCF147FB09C85EEE376AAFA4304F148076F9199B293DF319A098B60

Function 00205882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002058EE
DrawMenuBar.USER32(?), ref: 002058FD

Strings

0, xrefs: 0020588F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9e5075fbea707d1e4dfcbf18dad55cdfd943c2d016e7bce928f595d7669efa54
Instruction ID: b59d4297bcab8ad7cb389c1c76fa4e62913349d8aa99c45488ea91757099cfc5
Opcode Fuzzy Hash: 9e5075fbea707d1e4dfcbf18dad55cdfd943c2d016e7bce928f595d7669efa54
Instruction Fuzzy Hash: F4018B71510328EFDB209F11EC48BAFBBB4FF45361F108099E848D6192DB708AA0DF60

Function 001D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafd8248ce85e95692c4f3b92387582b180e3bd4235fd584be4f6e1fc215f1a0
Instruction ID: 9514c2b0facc528afb202ceaed74762d7cc666dd8cdc1571ebc895b7e4411b83
Opcode Fuzzy Hash: dafd8248ce85e95692c4f3b92387582b180e3bd4235fd584be4f6e1fc215f1a0
Instruction Fuzzy Hash: EEC13875A0020AEFDB15CFA8C898BAEB7B5FF48704F218599E505EB251D731EE41CB90

Function 001A3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001A3F0B
__alldvrm.LIBCMT ref: 001A410C
__alldvrm.LIBCMT ref: 001A412E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a82ee927ff3d939906a61d1033e8bb7e53f6ffeb693c566b141ce365873466f3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EFA1787AD103869FEB26CF18C8917AEBBE4EFA3350F18416DF5958B281C3B49981C751

Function 001F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001F3459
CoUninitialize.OLE32 ref: 001F3463
VariantInit.OLEAUT32(?), ref: 001F346E
VariantClear.OLEAUT32(?), ref: 001F371B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 11962d41d0c0447fcaed04a8161240ead5cce16135b5646761cc093705491f2d
Instruction ID: 1a3bb45613d510b8532eb367ed7aa463007669aebeb9e83bdbfdd229ed8e1b45
Opcode Fuzzy Hash: 11962d41d0c0447fcaed04a8161240ead5cce16135b5646761cc093705491f2d
Instruction Fuzzy Hash: D7A13A756043049FC700EF28C485A2AB7E5FF98714F148959F99A9B3A2DB30EE01CB91

Function 001D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D0608
CLSIDFromProgID.OLE32(?,?,00000000,0020CC40,000000FF,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D062D
_memcmp.LIBVCRUNTIME ref: 001D064E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 43b5fafff00a363a7279f327d12508e2f7b2d621dc329ed19fd5d878d9e04451
Instruction ID: baae43040a7be9c598a8de86acb18296139ee6c01d9d01eb39316754492454b3
Opcode Fuzzy Hash: 43b5fafff00a363a7279f327d12508e2f7b2d621dc329ed19fd5d878d9e04451
Instruction Fuzzy Hash: C3810C71A00209EFCB05DF94C988EEEB7B9FF89315F204559E506AB250DB71AE46CF60

Function 001FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001FA6BA

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Process32NextW.KERNEL32(00000000,?), ref: 001FA79C
CloseHandle.KERNEL32(00000000), ref: 001FA7AB

Part of subcall function 0018CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001B3303,?), ref: 0018CE8A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e5fa4af7c222a316d90b2ba76520a3db352e10aa09965a6bd1d903e153ac9cfe
Instruction ID: 9310a3b57ab3577ac5f5f8787bed4b31263602a184ea51dcf4233fb42fd2b8ac
Opcode Fuzzy Hash: e5fa4af7c222a316d90b2ba76520a3db352e10aa09965a6bd1d903e153ac9cfe
Instruction Fuzzy Hash: 005139B1508304AFD710EF24D886A6BBBF8FF99754F50891DF58997252EB30D904CB92

Function 001B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001B14C0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86e583573942f5fb7063fba101710c89ba5b192da80a3b0ed27c6d412ad96dcb
Instruction ID: 735540039f23eeecd146a7ccd3686867aab691767b7836cd268a948bf0c2f556
Opcode Fuzzy Hash: 86e583573942f5fb7063fba101710c89ba5b192da80a3b0ed27c6d412ad96dcb
Instruction Fuzzy Hash: 13416A35A00100BBDF256BFD9C56BFE3AA4EF66370F660265F818D3192EB3489419262

Function 00206278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002062E2
ScreenToClient.USER32(?,?), ref: 00206315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00206382

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 617fd5f1c83c84ed1dfd415f5e22323571a0fc052b7da622756f47a03faf80b3
Instruction ID: 3032de3d15c336de79ddebf7e72f7c71b3d1c71e903071da046ba763a169b309
Opcode Fuzzy Hash: 617fd5f1c83c84ed1dfd415f5e22323571a0fc052b7da622756f47a03faf80b3
Instruction Fuzzy Hash: 0E512C7491020AEFDB24DF54D888AAE7BB5EF45760F108299F8159B2E1D730EDA1CB90

Function 001F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001F1AFD
WSAGetLastError.WSOCK32 ref: 001F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001F1B8A
WSAGetLastError.WSOCK32 ref: 001F1B94

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 987b654c8259dd4b7d62533b4fbc3bbaa51fe8ab37a9913b6c51323e6de69deb
Instruction ID: ff5285d351581de154640cbbafe752f050c99a593a7d718dfde20d20b18719db
Opcode Fuzzy Hash: 987b654c8259dd4b7d62533b4fbc3bbaa51fe8ab37a9913b6c51323e6de69deb
Instruction Fuzzy Hash: 1A41BE74640204AFE721AF24D88AF2A77E5AB58718F54C44CFA1A9F2D3D772ED418B90

Function 001AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb79d25af7a41135671835c7a530ffed3a8fdf2e1cd50685d791f9a237dac61b
Instruction ID: cd15d17beda1851ee6dfa787ff49168be56e4e30ff805543661338c435882194
Opcode Fuzzy Hash: fb79d25af7a41135671835c7a530ffed3a8fdf2e1cd50685d791f9a237dac61b
Instruction Fuzzy Hash: 7641177AA04344BFD7259F78CC81BAABBE9EB99710F10452EF542DB283D771E9018780

Function 001E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001E5783
GetLastError.KERNEL32(?,00000000), ref: 001E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001E57FA

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 80a9e2601865806dc2417d4d9eeb474779db8f538347e4f5dff4b2b8e61ba147
Instruction ID: 0bb03e951fd983133555786a91e95a5ade475911cf812ff3810736057848a6a4
Opcode Fuzzy Hash: 80a9e2601865806dc2417d4d9eeb474779db8f538347e4f5dff4b2b8e61ba147
Instruction Fuzzy Hash: 7441FD39600A10DFCB11EF15D585A5DBBF2EF99724B19C488E84A5B3A2CB34FD41CB91

Function 001AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00196D71,00000000,00000000,001982D9,?,001982D9,?,00000001,00196D71,8BE85006,00000001,001982D9,001982D9), ref: 001AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001AD9AB
__freea.LIBCMT ref: 001AD9B4

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2382055b1f3cd62ae11e0b212c802121dbcdb4e321bf80b2e1dbd76a806fe799
Instruction ID: f1f774940599a3be13e06aa6365a544a89466a2e087cb675a0b3b85520da627c
Opcode Fuzzy Hash: 2382055b1f3cd62ae11e0b212c802121dbcdb4e321bf80b2e1dbd76a806fe799
Instruction Fuzzy Hash: 0A31DE76A0060AABDF249F64EC45EAF7BA9EB42314F150268FC05D7251EB35CD54CB90

Function 002052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00205352
GetWindowLongW.USER32(?,000000F0), ref: 00205375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00205382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002053A8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 587d18ea8640fda7831c8ef60d48b29de1a17e58e4cbca33daf50ad3b850c547
Instruction ID: a59791862432f203da344e5067a581a63f7fa073feaae0d8e0706ca403f087e5
Opcode Fuzzy Hash: 587d18ea8640fda7831c8ef60d48b29de1a17e58e4cbca33daf50ad3b850c547
Instruction Fuzzy Hash: FF31E634A75B29EFEB349F14DC06BEA7765AB05390F584181FA10961E3C7F099A0DF42

Function 001DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 001DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001DAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 001DACC6

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e1d0a9bcf346f456909c553722e968629fb66e73c8b92e27bcb0dc57131194a
Instruction ID: 4bb34f66a52cf6550158f6850a87bea00882009a2a84c6db21d326f9d4244875
Opcode Fuzzy Hash: 1e1d0a9bcf346f456909c553722e968629fb66e73c8b92e27bcb0dc57131194a
Instruction Fuzzy Hash: 87313770A20718AFEF34CB648C087FE7BA5AF89330F98431BE481963D1C37999818752

Function 00207674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0020769A
GetWindowRect.USER32(?,?), ref: 00207710
PtInRect.USER32(?,?,00208B89), ref: 00207720
MessageBeep.USER32(00000000), ref: 0020778C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 394143d570046cc2e9e30840863e8c7374d9d6d4451d9a317fe4c552d149fdc1
Instruction ID: f3c03d6ab63ce11ce02b3fa33178e0b4dea0aff13974170ccccfcb5566d9f820
Opcode Fuzzy Hash: 394143d570046cc2e9e30840863e8c7374d9d6d4451d9a317fe4c552d149fdc1
Instruction Fuzzy Hash: 2341AD38A15315DFDB11CF58D898EA9B7F4FB49384F1481A8E8149B2B2C371B9A1CF90

Function 002016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002016EB

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

GetCaretPos.USER32(?), ref: 002016FF
ClientToScreen.USER32(00000000,?), ref: 0020174C
GetForegroundWindow.USER32 ref: 00201752

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a23473795f58b4221d063c5e10abdd9f06d48387475f447f6546b69a50545a2d
Instruction ID: 7a731cb71063fc7e16751f97529976adb69c312e1fc770f7a37d4d5e81b431e4
Opcode Fuzzy Hash: a23473795f58b4221d063c5e10abdd9f06d48387475f447f6546b69a50545a2d
Instruction Fuzzy Hash: 92314175D00249AFC704DFA9C885CAEFBF9EF59304B50806AE415E7252D7319E45CBA0

Function 001DDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

_wcslen.LIBCMT ref: 001DDFCB
_wcslen.LIBCMT ref: 001DDFE2
_wcslen.LIBCMT ref: 001DE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 001DE018

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 303f65123ad16fe120de91ea8111d65f6f1a12945aa8744bc4212b091098a8f5
Instruction ID: 258e4fead08a73aba94c42a49897d078c6d09db663091ff9f8357ab890c48a03
Opcode Fuzzy Hash: 303f65123ad16fe120de91ea8111d65f6f1a12945aa8744bc4212b091098a8f5
Instruction Fuzzy Hash: 3D218171900214AFCB20EFA8D981BAEB7F8EF55750F144065F905BB385D7709E41CBA1

Function 00208FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

GetCursorPos.USER32(?), ref: 00209001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001C7711,?,?,?,?,?), ref: 00209016
GetCursorPos.USER32(?), ref: 0020905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001C7711,?,?,?), ref: 00209094

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ddf8350e40b3c19045b1939545d029ca10a3e02c505994d61a4ceb051f019e09
Instruction ID: 18ab191c8ac7886e4c92a98a9f7e0a41290fa991657e7c9216570f982bc692f2
Opcode Fuzzy Hash: ddf8350e40b3c19045b1939545d029ca10a3e02c505994d61a4ceb051f019e09
Instruction Fuzzy Hash: CD21B135610218EFDB258F94DC58EFB3BBAEB49350F144155F9465B1A3C33199A0DB60

Function 001DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0020CB68), ref: 001DD2FB
GetLastError.KERNEL32 ref: 001DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0020CB68), ref: 001DD376

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: dc2d10ba370f654a1a376dd581ac0bb6e3f8eafe310e3740c4aa6f6d60302c6a
Instruction ID: 1573f3a67c311345bcc6e4652576c4690e3d22f07ee5eb9245cd1672b4289b89
Opcode Fuzzy Hash: dc2d10ba370f654a1a376dd581ac0bb6e3f8eafe310e3740c4aa6f6d60302c6a
Instruction Fuzzy Hash: 382171B0505301AFC714DF68E88586A77E4BE56364F204A1EF499C73E2D731D949CB93

Function 001D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D102A
Part of subcall function 001D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D1036
Part of subcall function 001D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1045
Part of subcall function 001D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D104C
Part of subcall function 001D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001D15BE
_memcmp.LIBVCRUNTIME ref: 001D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D1617
HeapFree.KERNEL32(00000000), ref: 001D161E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 453d75fd8bded0cb5533dc5f9a5fd4b25850102509f480f753d0a1af9f8829e3
Instruction ID: 281bb6215f4bf89a5211960a1b362275fe677d8d457e874f381d1d86039770ca
Opcode Fuzzy Hash: 453d75fd8bded0cb5533dc5f9a5fd4b25850102509f480f753d0a1af9f8829e3
Instruction Fuzzy Hash: 7621A971E00208FFDF00DFA4D948BEEB7B8EF40344F18855AE401AB241E770AA45CBA0

Function 00202782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0020280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00202824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00202832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00202840

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e71ff5269cf1e67d48033d6480bb831d35bb898f4cb57f28a05021ccfd86787a
Instruction ID: ff39cbc08e4a5b862896521c8e493a4f2a6b7d87e9cadcf12a5d686bafa9106c
Opcode Fuzzy Hash: e71ff5269cf1e67d48033d6480bb831d35bb898f4cb57f28a05021ccfd86787a
Instruction Fuzzy Hash: 7621C435214211EFD7149B24DC48F6ABBA9EF45324F248259F4168B6E3CB71FC56CB90

Function 001D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001D790A,?,000000FF,?,001D8754,00000000,?,0000001C,?,?), ref: 001D8D8C
Part of subcall function 001D8D7D: lstrcpyW.KERNEL32(00000000,?,?,001D790A,?,000000FF,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D8DB2
Part of subcall function 001D8D7D: lstrcmpiW.KERNEL32(00000000,?,001D790A,?,000000FF,?,001D8754,00000000,?,0000001C,?,?), ref: 001D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D7923
lstrcpyW.KERNEL32(00000000,?,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D7984

Strings

cdecl, xrefs: 001D797B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0c762a4c9f23a01eb7c1abcacc4df4432a96f6976de2ba1ab1fd7cc04945ddf9
Instruction ID: a58bb892ab726c3a6385dff5809be68594db2050761094174f52767ce45b1846
Opcode Fuzzy Hash: 0c762a4c9f23a01eb7c1abcacc4df4432a96f6976de2ba1ab1fd7cc04945ddf9
Instruction Fuzzy Hash: C711E47A200342ABCF196F38D855D7B77A9FF95364B10402BE806C73A5FB319811C761

Function 00207CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00207D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00207D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00207D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001EB7AD,00000000), ref: 00207D6B

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c858946d89650b2aa9375eb4ca370d9c734afa92780c3c834bcc6ba422f284e4
Instruction ID: 99d892224202bbecd8562291928ea5145c37aea5b71084e33c7fe5f06458bb03
Opcode Fuzzy Hash: c858946d89650b2aa9375eb4ca370d9c734afa92780c3c834bcc6ba422f284e4
Instruction Fuzzy Hash: D111D235A25715AFDB109F28DC08A663BA4AF46360B254324F835D72F1E730E960CB50

Function 00205660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002056BB
_wcslen.LIBCMT ref: 002056CD
_wcslen.LIBCMT ref: 002056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00205816

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b70958887db441a43d3f93e35f72ebf4d8f65ee4105f77b096a479a5e07748f5
Instruction ID: 2d8f194ebeae39678f512cb26b246c7b39b521f6f7715fcbc2d21e0bc1fba63a
Opcode Fuzzy Hash: b70958887db441a43d3f93e35f72ebf4d8f65ee4105f77b096a479a5e07748f5
Instruction Fuzzy Hash: 2411E175A20729A6DF209F61CC85AEF77ACFF11764B104026F905D60C3EBB08AA0CF60

Function 001A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7695bee77258f8f23d446eee4f2cd14caf740c2927974653ae238067e8b6a7ae
Instruction ID: eae85c125a1fb3b069f843da7a74fb95b6ea720110b82e5568b03519f8d1de1e
Opcode Fuzzy Hash: 7695bee77258f8f23d446eee4f2cd14caf740c2927974653ae238067e8b6a7ae
Instruction Fuzzy Hash: 8401ADBA209A167EF62126B87CC8F67661CDF937B8F310329F525A11D2DB708C004170

Function 001D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A8A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e463a0dcb6871b49f4f93baacc41f42d6a114fa44c1bf4bb5d92a8681cb2f41
Instruction ID: 79a3634667856c203578061a6c6c1900fdfbdfbbc9bdf8117112c65c2ef28362
Opcode Fuzzy Hash: 3e463a0dcb6871b49f4f93baacc41f42d6a114fa44c1bf4bb5d92a8681cb2f41
Instruction Fuzzy Hash: 6211273A901219FFEB109BA4C985FADBB79EB08750F200092EA00B7290D7716E50DB94

Function 001DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001DE24D

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eb1a5eca45c0de900fa1776dc57db2bc9f5ea3f1ad82ee55b95d3fda6ce239d8
Instruction ID: e836c0254fc6991feb9582ba6a272b54914443d7cf7c0c17ce100b29c57cb091
Opcode Fuzzy Hash: eb1a5eca45c0de900fa1776dc57db2bc9f5ea3f1ad82ee55b95d3fda6ce239d8
Instruction Fuzzy Hash: 2711C8B6904254BBC701AFA8BC0DA9F7FAC9B45321F14435AF915D7391D770D90487A0

Function 0019D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0019CFF9,00000000,00000004,00000000), ref: 0019D218
GetLastError.KERNEL32 ref: 0019D224
__dosmaperr.LIBCMT ref: 0019D22B
ResumeThread.KERNEL32(00000000), ref: 0019D249

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 3e6bd6fd637a08668a0d8f9c1ecfafdabc266880ecfc677c600bc93351438faa
Instruction ID: 0ae67bfd003bfc5ba10ce81bde399105e2ede4ff8b19caf717329fc003bfd48d
Opcode Fuzzy Hash: 3e6bd6fd637a08668a0d8f9c1ecfafdabc266880ecfc677c600bc93351438faa
Instruction Fuzzy Hash: 5D01F576805204BBCF116BA5FC09BAE7A69DF91730F200369F925921D0CF70C901C6A0

Function 00209EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

GetClientRect.USER32(?,?), ref: 00209F31
GetCursorPos.USER32(?), ref: 00209F3B
ScreenToClient.USER32(?,?), ref: 00209F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00209F7A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 926c9714a9fba407bac7c1578fd1d1113676882ff621d191436e8705590bcd14
Instruction ID: 8dbee5515d1d05d411a8f1af412039862b979e508ad8a4cccfbc45a4d29cf563
Opcode Fuzzy Hash: 926c9714a9fba407bac7c1578fd1d1113676882ff621d191436e8705590bcd14
Instruction Fuzzy Hash: 1511883291021AABDB10EF68D8899EE77B8FB05301F100551F902E3482C330BAE1CBA1

Function 0017600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
GetStockObject.GDI32(00000011), ref: 00176060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6369731012eb5217c2a92c236a6bf3ffe49574aca7752e80b0028d5a6bc931e8
Instruction ID: 3aac193bed9023cb0fe65831039cf4dd3f539013cabd47524d606c89351b520e
Opcode Fuzzy Hash: 6369731012eb5217c2a92c236a6bf3ffe49574aca7752e80b0028d5a6bc931e8
Instruction Fuzzy Hash: 95118BB2101A08BFEF164FA49C48AEABB7DEF083A4F104201FA0852021C7369C609FA0

Function 00193B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00193B56

Part of subcall function 00193AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00193AD2
Part of subcall function 00193AA3: ___AdjustPointer.LIBCMT ref: 00193AED

_UnwindNestedFrames.LIBCMT ref: 00193B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00193B7C
CallCatchBlock.LIBVCRUNTIME ref: 00193BA4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8ba9317196bd544ae320d82001c4973f00f9d72b0b84b14c4b4a246288f8ed5d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6E01E932100149BBDF126E95CC46EEB7B6AFF58754F044014FE5896121C732E962EBA0

Function 001A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001713C6,00000000,00000000,?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue), ref: 001A30A5
GetLastError.KERNEL32(?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue,00212290,FlsSetValue,00000000,00000364,?,001A2E46), ref: 001A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue,00212290,FlsSetValue,00000000), ref: 001A30BF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: aae9cd41c9ababd91b65060d311b0e27a2177116dd321d3de7d0eff9e8453e09
Instruction ID: a0b1627e5b9108570ef4ec9f88440b6a94681c6c07fc3d18f3b3a1d3c70bc345
Opcode Fuzzy Hash: aae9cd41c9ababd91b65060d311b0e27a2177116dd321d3de7d0eff9e8453e09
Instruction Fuzzy Hash: 0101FC7A301322ABC7314B79AD4CB677B989F477A1B310720F925D3181C721D905C6E0

Function 001D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001D74CA

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 377ba2ddda71c83442d7e37676495e4871ad7b6a29db9ff4951b47d1fd7eeb39
Instruction ID: fb4e56b009f12c9bec9d6ad1ff7667e692f479dfda79251cca8e7e6fef8f570f
Opcode Fuzzy Hash: 377ba2ddda71c83442d7e37676495e4871ad7b6a29db9ff4951b47d1fd7eeb39
Instruction Fuzzy Hash: AC1161B52093159BE7218F14ED4DB92BBFCEB00B04F10856AA656D6292E770E904DB60

Function 001DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB126

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a1a5c5a76d3e74b32f008c9bafedea796f413684ef27a1a61d58312d498af705
Instruction ID: 94efdadf7c7052cd42c5cb5ae933b34efc19651363fe23472cdbec1ea86d30ab
Opcode Fuzzy Hash: a1a5c5a76d3e74b32f008c9bafedea796f413684ef27a1a61d58312d498af705
Instruction Fuzzy Hash: 53116171C0561CD7CF04AFE4F9D96EEBB78FF09711F124196E942B2241CB3056508B91

Function 00207E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00207E33
ScreenToClient.USER32(?,?), ref: 00207E4B
ScreenToClient.USER32(?,?), ref: 00207E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00207E8A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e48903e31db86c2aa688922d89121f09c379d067b911f2de2ed6784c205d1c3c
Instruction ID: a5986d9be5cbad926abdcccb09810f7eed173f5e04fb53bae3ff528db667e941
Opcode Fuzzy Hash: e48903e31db86c2aa688922d89121f09c379d067b911f2de2ed6784c205d1c3c
Instruction Fuzzy Hash: D71186B9D0020AAFDB41CF98D8849EEBBF9FF08310F104156E911E3251D735AA54CF50

Function 001D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001D2DD6
GetCurrentThreadId.KERNEL32 ref: 001D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001D2DE4

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9ea35c112b10d5636c4d441966b5f066d17221c784f94980268b59678925aaec
Instruction ID: f6c12a1d68dcdcfd64c01e24e5d463762614b5ff2d3ffea32ad1955da3baf8d1
Opcode Fuzzy Hash: 9ea35c112b10d5636c4d441966b5f066d17221c784f94980268b59678925aaec
Instruction Fuzzy Hash: 62E092B11017247BD7301BB6AC0DFEB7E6DEF96BA1F100216F105D11819BB1C840C6B0

Function 00208863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00189639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896A2
Part of subcall function 00189639: BeginPath.GDI32(?), ref: 001896B9
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00208887
LineTo.GDI32(?,?,?), ref: 00208894
EndPath.GDI32(?), ref: 002088A4
StrokePath.GDI32(?), ref: 002088B2

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c0a9387579edfcf6c0257753b0eab4a50312c387c275402ee6fd2e554e2204aa
Instruction ID: dfd815d111e729950377c5e491ad8584fb1c9d90d127a1430dc742ae3fda955f
Opcode Fuzzy Hash: c0a9387579edfcf6c0257753b0eab4a50312c387c275402ee6fd2e554e2204aa
Instruction Fuzzy Hash: 11F03A76041259FAEB126F94AC0DFCA3E6AAF06710F148100FA11650E2C7755561DFE5

Function 001898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001898CC
SetTextColor.GDI32(?,?), ref: 001898D6
SetBkMode.GDI32(?,00000001), ref: 001898E9
GetStockObject.GDI32(00000005), ref: 001898F1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 14bcc827e16b0f31561aaf5a004182a9d6f539decd838fd657507673b0c1d915
Instruction ID: 97d5b0ef86b07b3e48551d460a3fdce49edd4b0b73cae6e110c163b4b138a65b
Opcode Fuzzy Hash: 14bcc827e16b0f31561aaf5a004182a9d6f539decd838fd657507673b0c1d915
Instruction Fuzzy Hash: 22E06D71244380AEDB215B74BC0DBEC7F20AB22336F248319FAFA580E2C3B186509F10

Function 001D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001D11D9), ref: 001D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001D11D9), ref: 001D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001D11D9), ref: 001D164F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 625d916e13527e93b019a1bbe3fc9683b05255284286263d3d6f2e918d3da43f
Instruction ID: 066d4bb3bbe994afa1d7dfdccb65a2038471e3fd28bae0a1837090ad718827a6
Opcode Fuzzy Hash: 625d916e13527e93b019a1bbe3fc9683b05255284286263d3d6f2e918d3da43f
Instruction Fuzzy Hash: B4E08CB2606311FBE7202FA0BE0DB863B7DAF44792F248909F645C9081E7749440CB60

Function 001CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001CD858
GetDC.USER32(00000000), ref: 001CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CD882
ReleaseDC.USER32(?), ref: 001CD8A3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f52a8f556cdf7d8b138380c3a0140d5d47e0fd6f699d365641dad2fce81ea266
Instruction ID: 40e3493786ee56ded07cbdab7960c4ae6f482418c6b805a0ae6dafb6312fe1b2
Opcode Fuzzy Hash: f52a8f556cdf7d8b138380c3a0140d5d47e0fd6f699d365641dad2fce81ea266
Instruction Fuzzy Hash: E3E01AB0800304DFCF51AFB0E84CA6DBBB6FB48310F218119F856E7251CB398A01AF50

Function 001CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001CD86C
GetDC.USER32(00000000), ref: 001CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CD882
ReleaseDC.USER32(?), ref: 001CD8A3

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3de45df1a4c11987203491a714a783d01a20472ceef5de96db3b8b431265e67
Instruction ID: 4edddd0209f192a0134b15c3dc06f26f2a1c91fce985fbce13e457c972bc6068
Opcode Fuzzy Hash: a3de45df1a4c11987203491a714a783d01a20472ceef5de96db3b8b431265e67
Instruction Fuzzy Hash: EEE09AB5800304DFCF51AFB4E84C66DBBB5BB48311F248549F95AE7251CB395A019F50

Function 001E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001E4ED4

Strings

LPT, xrefs: 001E4DFB
*, xrefs: 001E4E10

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 24ab9f725a009ce770ad9f4490a7cfe1d9e291e42aa9338d8a3de3b90ef31024
Instruction ID: f128db02d00cfce539632b8ef1c0d6451a7a48f618fcfc7ccf07ca4e6e7bfc9a
Opcode Fuzzy Hash: 24ab9f725a009ce770ad9f4490a7cfe1d9e291e42aa9338d8a3de3b90ef31024
Instruction Fuzzy Hash: 6F916E75A006449FCB14DF59C484EAEBBF1BF45704F198099E80A9F3A2C735EE85CB91

Function 0019E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0019E30D

Strings

pow, xrefs: 0019E2E5, 0019E302

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f0bd0b871696b708d067aec651d1e3f176dde04ea22a154a6764bc42ab3128bc
Instruction ID: aafc905bd7d47c0be8d2456b7c4b1887aa3e518c5d7d013f1af8db4f808adb5e
Opcode Fuzzy Hash: f0bd0b871696b708d067aec651d1e3f176dde04ea22a154a6764bc42ab3128bc
Instruction Fuzzy Hash: 0B518D65A0C20296CF15B714DD053BA3BE4FB51740F348D68F0D6833E9EF318E959A86

Function 001F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001C569E,00000000,?,0020CC08,?,00000000,00000000), ref: 001F78DD

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

CharUpperBuffW.USER32(001C569E,00000000,?,0020CC08,00000000,?,00000000,00000000), ref: 001F783B

Strings

<s#, xrefs: 001F77C8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s#
API String ID: 3544283678-1950719649
Opcode ID: ea1ff2df5f1f12bfe30e9c2cfe3501b1018326d6c3775e73a24e7b24e6f9b5a3
Instruction ID: dcb5067bdb3bc2c31bcd48c46e7c37cf863f2cc68a33358b6f4740b2e433de63
Opcode Fuzzy Hash: ea1ff2df5f1f12bfe30e9c2cfe3501b1018326d6c3775e73a24e7b24e6f9b5a3
Instruction Fuzzy Hash: 38613D72914119EACF14EBA4DC91DFDB378BF28704B548129F646A70D2EF705A09DBA0

Function 0018E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0018E1B1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d0d96783bb4cb216e81ea67845b9b0da5a4d7ed1df5ae4086a396f7c0d391362
Instruction ID: 5335c210b0a41dcc4727a0db11e399c043a962ef1999c7d4ce0c66a8375ba4fc
Opcode Fuzzy Hash: d0d96783bb4cb216e81ea67845b9b0da5a4d7ed1df5ae4086a396f7c0d391362
Instruction Fuzzy Hash: 57510175500346DFDB29EF68C482EBA7BE9EF75310F248059E8919B290D734DE52CBA0

Function 0018F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0018F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0018F2BB

Strings

@, xrefs: 0018F2AF

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3425d542fe3d01329313419b5a62f8e12284aba42b0a31939cf5f388b040caf1
Instruction ID: 0998e42df3510000410605ccac57216e34f62389eb2cb711235448f34cf027f9
Opcode Fuzzy Hash: 3425d542fe3d01329313419b5a62f8e12284aba42b0a31939cf5f388b040caf1
Instruction Fuzzy Hash: C05138714087449BD320AF54EC86BAFBBF8FBA5300F81885DF1D9411A5EF708629CB66

Function 001F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001F57E0
_wcslen.LIBCMT ref: 001F57EC

Strings

CALLARGARRAY, xrefs: 001F57E6, 001F57EB

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 231c240cdf653496350746c74440e11ebff2fd163f31741633b03dd002db5715
Instruction ID: 10f1d41fdd2a434f7573268cd020ca729f0bde9a236f68e633db61ec5e8bee19
Opcode Fuzzy Hash: 231c240cdf653496350746c74440e11ebff2fd163f31741633b03dd002db5715
Instruction Fuzzy Hash: 8B41A271E002099FCB14DFA9D8858BEBBB6FF69354F104129F605A7292E7349D81CF90

Function 001ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001ED13A

Strings

|, xrefs: 001ED10B

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6ac2ea778794bd1f3a928142b8ce79ac883332120a5eb5e5b2a541eb17f2b12d
Instruction ID: 61d6e6a9a97d92e43e5dbbec46390908a07d360bdc692664c885fcefbcfa7f62
Opcode Fuzzy Hash: 6ac2ea778794bd1f3a928142b8ce79ac883332120a5eb5e5b2a541eb17f2b12d
Instruction Fuzzy Hash: 33315071D00209ABCF15EFA5DC85EEEBFB9FF18300F104059F819A6162DB31AA46CB61

Function 0020356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00203621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0020365C

Strings

static, xrefs: 002035BC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a96c4eea9d46068e5b00ae33aadc3bcb37689ec04a9926985c2aaeb240837662
Instruction ID: b248ade8231e5e1c4c1cebdcf7ceb0d9122821a9a20ebd528cb95a73fc49cb92
Opcode Fuzzy Hash: a96c4eea9d46068e5b00ae33aadc3bcb37689ec04a9926985c2aaeb240837662
Instruction Fuzzy Hash: 1431AF71120704AADB10DF28DC80EBB73ADFF88720F108619F8A597291DB31ADA1CB64

Function 00204537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0020461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00204634

Strings

', xrefs: 0020458E

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0733dc84cf8bfa445c2e66a0fd1e35dc1a9a3840307e4892b59284bb68bcf94b
Instruction ID: 7bff8f2f4bbb31b43a725a14f87b15abbb0c41457a911033a301334a3fae1a52
Opcode Fuzzy Hash: 0733dc84cf8bfa445c2e66a0fd1e35dc1a9a3840307e4892b59284bb68bcf94b
Instruction Fuzzy Hash: CE314FB4A1130A9FDF14DFA5C980BDA7BB9FF59300F504169EA049B382E771A951CF90

Function 002031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0020327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00203287

Strings

Combobox, xrefs: 00203249

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5a689832270b7908384eaf8ad219e2d798e68fdd7b7729cfc2f04191cd030b4e
Instruction ID: 0c82ece2d2b42080dfe1ccf1947f5260eed363020d03168602bafc09dd65cce0
Opcode Fuzzy Hash: 5a689832270b7908384eaf8ad219e2d798e68fdd7b7729cfc2f04191cd030b4e
Instruction Fuzzy Hash: 5C11D0712202097FEF25DF54DC84EBB376EEB94364F104125F918972D2D6319D618B60

Function 00203710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0017600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
Part of subcall function 0017600E: GetStockObject.GDI32(00000011), ref: 00176060
Part of subcall function 0017600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

GetWindowRect.USER32(00000000,?), ref: 0020377A
GetSysColor.USER32(00000012), ref: 00203794

Strings

static, xrefs: 00203757

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0b87a9a4dbc65c59015aa0321d914b28bf90a8fb6f54b50e68a5caba133906b7
Instruction ID: 3933e6e993f6659cd6152b8c81ca91aa8ac5b08a1d61d8b6de1b38e24a03ee04
Opcode Fuzzy Hash: 0b87a9a4dbc65c59015aa0321d914b28bf90a8fb6f54b50e68a5caba133906b7
Instruction Fuzzy Hash: 3A113AB262020AAFDF00DFA8CC45EEA7BB8FF09314F104A15FD55E2291D775E8619B50

Function 001ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001ECDA6

Strings

<local>, xrefs: 001ECD66

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9b90e8f6fed608894ba9ce3f4cced8dd51453f60dbf0dd16c4abc8f87c3064a9
Instruction ID: bed1db157d3ae84269ab14bb36b82ca988b144a7e2b5eb598ad2cdee090f663c
Opcode Fuzzy Hash: 9b90e8f6fed608894ba9ce3f4cced8dd51453f60dbf0dd16c4abc8f87c3064a9
Instruction Fuzzy Hash: E611C6B1205A71BAD7384BA78C49FEBBEACFF127A4F104226B10983090D7759842D6F0

Function 00203429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002034BA

Strings

edit, xrefs: 0020348F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 98ed6d37d2c3ef2392d397182eaaf62f377d885e6e215cfb41353f22b45b5ad3
Instruction ID: 9dd9d904f7eb0bff247084588d98be010ef19b8bba1d31b5c40814107ced05b3
Opcode Fuzzy Hash: 98ed6d37d2c3ef2392d397182eaaf62f377d885e6e215cfb41353f22b45b5ad3
Instruction Fuzzy Hash: 6211BF71120309ABEB118F64EC84ABB376EEF05374F604324F9649B1D1C771DC619B50

Function 001D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

CharUpperBuffW.USER32(?,?,?), ref: 001D6CB6
_wcslen.LIBCMT ref: 001D6CC2

Strings

STOP, xrefs: 001D6CBC, 001D6CC1

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 73a5b8f2c5d4e5af1dadf2527dea42d700560719d0f20084da8c443ef17c9413
Instruction ID: 284deaf87e56d393bd6dbd2b841bde49942dde17a702769fd80c492c1ba069f4
Opcode Fuzzy Hash: 73a5b8f2c5d4e5af1dadf2527dea42d700560719d0f20084da8c443ef17c9413
Instruction Fuzzy Hash: 9F0104326249268BCB209FFDEC808BF33B5EB717507100526E85296291EB31D800C650

Function 001D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001D1D4C

Strings

ComboBox, xrefs: 001D1CEB
ListBox, xrefs: 001D1D16

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c39dabbe64cce166911126bfaa4aa91c5ea07a0c00762443b78b58032439c1d4
Instruction ID: 2907b91db0f548bbf9a8a3dcaa1a60f6bd63861e3a946006aa49a7b0da044106
Opcode Fuzzy Hash: c39dabbe64cce166911126bfaa4aa91c5ea07a0c00762443b78b58032439c1d4
Instruction Fuzzy Hash: 1E01F171650228BBCB08EBE0CC19CFE73A9EB62350B000A0BE836673C1EB30590CC661

Function 001D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001D1C46

Strings

ComboBox, xrefs: 001D1BE5
ListBox, xrefs: 001D1C10

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 921fa57ef0abdbc662ba90f5c702a4bf134a2eb85aa78382aeef96ce887faf5b
Instruction ID: df32bc222dcc22988a70228df815fde77459a3fe8baaeeb44ab832b0368b4dc3
Opcode Fuzzy Hash: 921fa57ef0abdbc662ba90f5c702a4bf134a2eb85aa78382aeef96ce887faf5b
Instruction Fuzzy Hash: BC01A7B57A110876DF18EB90DD52DFF77A89F22340F14001BA41A67382EB209F1C96B2

Function 001D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001D1CC8

Strings

ComboBox, xrefs: 001D1C69
ListBox, xrefs: 001D1C94

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1a137891be23ebb88bcf8345fcea814a316e1341c2a8de8e66cce9cde4e7d715
Instruction ID: 072abe65f04e54ac93032b4dd1f38e9af980f1f4bf449d57e6d76398add8005a
Opcode Fuzzy Hash: 1a137891be23ebb88bcf8345fcea814a316e1341c2a8de8e66cce9cde4e7d715
Instruction Fuzzy Hash: 5E01A2B17A011876CB18EBA4CA02EFF73AC9B22340F540016B80677382EB219F199672

Function 001D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001D1DD3

Strings

ComboBox, xrefs: 001D1D75
ListBox, xrefs: 001D1DA0

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 40df741f4a97347ed5c381ca8e2c97f0271511a6ae93259e32e020a97b6ec287
Instruction ID: 003c27d5aa29ece92fa16e69096be6b1e145d086e983e96d2aa4d4a56c2a951f
Opcode Fuzzy Hash: 40df741f4a97347ed5c381ca8e2c97f0271511a6ae93259e32e020a97b6ec287
Instruction Fuzzy Hash: 7FF0F471B6061876CB08E7E4DC56EFF737DAB22354F040916B826673C1DB60590C8261

Function 00208172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00243018,0024305C), ref: 002081BF
CloseHandle.KERNEL32 ref: 002081D1

Strings

\0$, xrefs: 0020818A

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0$
API String ID: 3712363035-2040716516
Opcode ID: e63710095706fabda21aa6455b1a12628c5656a868d828889d0fda4827d74dad
Instruction ID: cf7d8f3f33402c418480e0d622b17d6a5ddc67b3e0b424657431e9a4a1d8bc5b
Opcode Fuzzy Hash: e63710095706fabda21aa6455b1a12628c5656a868d828889d0fda4827d74dad
Instruction Fuzzy Hash: 52F05EF6650300BAE720AB61BC49FB73A9CEB19B50F105560FB08D51A2D6768A1082B8

Function 001F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F7493
_wcslen.LIBCMT ref: 001F74B9

Strings

3, 3, 16, 1, xrefs: 001F7483

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: db009123af979866040391a8bed0929c79182bc506630e41a9b6995443a981c0
Instruction ID: c00d0eb15dacf46baa59accf8920158c6c40de63f10e7115156a014cc23ce660
Opcode Fuzzy Hash: db009123af979866040391a8bed0929c79182bc506630e41a9b6995443a981c0
Instruction Fuzzy Hash: 8CE02B4221422411963122799CC1D7F56C9CFDD750714182BFA81C22E6EB948D9393A1

Function 001D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001D0B23

Strings

AutoIt, xrefs: 001D0B17
Error allocating memory., xrefs: 001D0B1C

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3df32c8579c7a63d4e795fb13c7d22f02cc090794163fe6f9e6970503f535857
Instruction ID: 665acd57816adad1cda38a6744282bf48ef8c09f79068ecc4fff63b6370c6623
Opcode Fuzzy Hash: 3df32c8579c7a63d4e795fb13c7d22f02cc090794163fe6f9e6970503f535857
Instruction Fuzzy Hash: AEE0D87124431866D31437947C07F897B848F19B61F20042BF748555C38BD225A00AE9

Function 00190D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0018F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00190D71,?,?,?,0017100A), ref: 0018F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0017100A), ref: 00190D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0017100A), ref: 00190D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00190D7F

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 3a71e90b8b3411a542481105a474091367f8f11ce0d411e9c0b5d8b832feae15
Instruction ID: 98c614750143cb92d5d5e3d036fa0abadacff642123084f95401341b3d6b66a2
Opcode Fuzzy Hash: 3a71e90b8b3411a542481105a474091367f8f11ce0d411e9c0b5d8b832feae15
Instruction Fuzzy Hash: C6E092B42003018FE7719FB8E5083427BE4BF18740F008A2DE896C6A92DBB0E4448B91

Function 0018E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0018E3D5

Strings

8%$, xrefs: 0018E3CA
0%$, xrefs: 0018E3B5

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%$$8%$
API String ID: 1385522511-2281168666
Opcode ID: a9a9903f3fd9991d067161bba674dec5976b73bb2c8121963504bdc00edddd2f
Instruction ID: f7b12c8e5a2dd460af28b61e95f81897fbed0ba2cd70c4ea5386c13025342aff
Opcode Fuzzy Hash: a9a9903f3fd9991d067161bba674dec5976b73bb2c8121963504bdc00edddd2f
Instruction Fuzzy Hash: DAE02635510910CFCA0DB719BA58A883391FB1A320BD00179F902871D19BB02D458B44

Function 001E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001E3044

Strings

aut, xrefs: 001E3038

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a2e5ca1328d1fe39b7e9212b1ae438e7594d53d0298d1286f4e963c8c3f22497
Instruction ID: 8c03e6437de338dbb6f4e16d868a523811b504cc1d70ebe6ca1fe45eb6100279
Opcode Fuzzy Hash: a2e5ca1328d1fe39b7e9212b1ae438e7594d53d0298d1286f4e963c8c3f22497
Instruction Fuzzy Hash: B9D05EB25003287BDA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E20D2DAB09984CAD0

Function 001CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001CD220

Strings

%.3d, xrefs: 001CD22B
X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 63021897ed0dac421572eee8ffd6155a389da3e9b62ad2c95e7b158dac27746a
Instruction ID: f8915733765dc89ea43b045d75ed1277cd3231d71ac27ca004769a4694f5be4f
Opcode Fuzzy Hash: 63021897ed0dac421572eee8ffd6155a389da3e9b62ad2c95e7b158dac27746a
Instruction Fuzzy Hash: BBD012A1C08208E9CB58A7D0EC49EBAB3BCEB29341F62847AFC0692040D734C6496B61

Function 00202322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0020233F

Part of subcall function 001DE97B: Sleep.KERNEL32 ref: 001DE9F3

Strings

Shell_TrayWnd, xrefs: 00202325

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c52619ade32fcb0b84a311cb62d375216ee39197c077406caf50e487a26f8d0c
Instruction ID: 89687f85b978a6f68a46136b244ce637f9ec16073acb543a5780c7a580820257
Opcode Fuzzy Hash: c52619ade32fcb0b84a311cb62d375216ee39197c077406caf50e487a26f8d0c
Instruction Fuzzy Hash: C3D0A9B63D0300B6E66CB330AC0FFC6AA089B00B04F204A027205AA1D1C9A0A8008A50

Function 00202356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020236C
PostMessageW.USER32(00000000), ref: 00202373

Part of subcall function 001DE97B: Sleep.KERNEL32 ref: 001DE9F3

Strings

Shell_TrayWnd, xrefs: 00202365

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 25c5ad8c835bbed398e2850f16b11f63ce403677aa2e1e95a3b1e7d29284eb31
Instruction ID: a412bb99ff2518e60cb090b9bb8c0017f0c0d7299bde30ab2bee9437f2aabf7f
Opcode Fuzzy Hash: 25c5ad8c835bbed398e2850f16b11f63ce403677aa2e1e95a3b1e7d29284eb31
Instruction Fuzzy Hash: D9D0A9B23C13007AE66CB330AC0FFC6AA089B00B04F604A027201AA1D1C9A0A8008A54

Function 001ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001ABE93
GetLastError.KERNEL32 ref: 001ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ABEFC

Memory Dump Source

Source File: 00000000.00000002.1262778368.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.1262760389.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262842984.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262893019.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262909321.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 63a9cbfbc034aaf823b0be2ce1d1f68cb47a297f04bb2537c4f9e2c38c606826
Instruction ID: ace04692057af0c361c97ac2b0c54d4fede4b6b9b082073144d6b4062577a169
Opcode Fuzzy Hash: 63a9cbfbc034aaf823b0be2ce1d1f68cb47a297f04bb2537c4f9e2c38c606826
Instruction Fuzzy Hash: 1441FC38609286AFCF258F74DCD4ABA7BA5EF43310F194169F959971A3DB308D01CB50

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1731286821&timestamp=1727761872549 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=snQzUaj2gsNaXF0FXx3FFBFLysabE1xssb3ygtfJqMICegbexOJEsjNmM_i3r_V1phGw-ujXdNmaS-9nEHdM2s89Hf8ACKxlFs8QkuWIGrGODE7nghsWXWxVFmks8w9ka2oHvIjMxvvErd2xaAJgiZ15V6OmLwMWSpaGq9i-NeOiAKLyKj8
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ahgbDtugU7k3WPo&MD=cgRRYdmF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ahgbDtugU7k3WPo&MD=cgRRYdmF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
file.exe

Function 001742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001DD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 001DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 001FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00172CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0017344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00172B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00173170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00171410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre