Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523260
MD5:	873bd04e24ffd5ff03c7cbcb0390619b
SHA1:	3d72d99e3bd8ef83e3d156e08f4d66f83053064e
SHA256:	02a9704a3a661c5c01658ecba3156cf65924af152948a3006f0c4b7b37024913
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3372 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 873BD04E24FFD5FF03C7CBCB0390619B)

chrome.exe (PID: 6056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7844 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_99.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_99.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2013934744.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_105.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_99.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_99.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_105.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_105.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_99.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_99.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_99.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_99.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_99.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_105.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_99.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_99.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_99.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_105.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_99.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_99.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_105.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_99.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_99.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.2014006928.0000000000D40000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2012979320.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_99.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49763 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0089EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0089EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0089ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0089ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0089EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0088AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008B9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_88a3b7c2-2
Source: file.exe, 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ba604b59-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9c78b84a-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6648308f-0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0088D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00881201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00881201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0088E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00892046	0_2_00892046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00828060	0_2_00828060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00888298	0_2_00888298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085E4FF	0_2_0085E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085676B	0_2_0085676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B4873	0_2_008B4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084CAA0	0_2_0084CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CAF0	0_2_0082CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083CC39	0_2_0083CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00856DD9	0_2_00856DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008291C0	0_2_008291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083B119	0_2_0083B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841394	0_2_00841394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841706	0_2_00841706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084781B	0_2_0084781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008419B0	0_2_008419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827920	0_2_00827920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083997D	0_2_0083997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847A4A	0_2_00847A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847CA7	0_2_00847CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841C77	0_2_00841C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00859EEE	0_2_00859EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ABE44	0_2_008ABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841F32	0_2_00841F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00829CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00840A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0083F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@31/36@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008937B5 GetLastError,FormatMessageW,

0_2_008937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008810BF AdjustTokenPrivileges,CloseHandle,		0_2_008810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0088D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0089648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0089648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008242A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00840A76 push ecx; ret

0_2_00840A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0083F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008B1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96711

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.1 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0088DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085C2A2 FindFirstFileExW,	0_2_0085C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008968EE FindFirstFileW,FindClose,	0_2_008968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0089698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0088D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0088D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00899642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00899642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0089979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00899B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00899B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00895C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00895C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008242DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0089EAA2 BlockInput,

0_2_0089EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00852622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00852622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00844CE8 mov eax, dword ptr fs:[00000030h]

0_2_00844CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00880B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00880B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00852622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00852622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0084083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008409D5 SetUnhandledExceptionFilter,	0_2_008409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00840C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00840C21

Source: C:\Users\user\Desktop\file.exe

0_2_00881201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00862BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00862BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088B226 SendInput,keybd_event,

0_2_0088B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008A22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00880B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00881663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00881663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00840698 cpuid

0_2_00840698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00898195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00898195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087D27A GetUserNameW,

0_2_0087D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0085B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008242DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008A1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
youtube.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse
play.google.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe
https://www.google.com/intl/	1%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
https://play.google.com/work/enroll?identifier=	0%	Virustotal		Browse
https://play.google.com/log?hasfast=true&authuser=0&format=json	0%	Virustotal		Browse
https://youtube.com/t/terms?gl=	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true	0%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true&authuser=0	0%	Virustotal		Browse
https://www.youtube.com/t/terms?chromeless=1&hl=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
youtube-ui.l.google.com	142.250.185.238	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	142.250.186.174	true	false	0%, Virustotal, Browse	unknown
play.google.com	142.250.185.78	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.184.196	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.174	true	false	0%, Virustotal, Browse	unknown
accounts.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	0%, Virustotal, Browse	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_99.4.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/technologies/location-data	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_99.4.dr	false	1%, Virustotal, Browse	unknown
https://apis.google.com/js/api.js	chromecache_105.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_99.4.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/terms/service-specific	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_105.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_99.4.dr	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_99.4.dr	false	0%, Virustotal, Browse	unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_99.4.dr	false	0%, Virustotal, Browse	unknown
https://support.google.com/accounts?hl=	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_99.4.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_99.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.78	play.google.com	United States	15169	GOOGLEUS	false
142.250.186.174	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523260
Start date and time:	2024-10-01 11:22:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@31/36@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 35 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.212.131, 142.250.186.78, 74.125.71.84, 34.104.35.123, 216.58.206.74, 142.250.181.234, 172.217.18.10, 142.250.74.202, 142.250.185.234, 142.250.186.138, 142.250.186.74, 142.250.186.170, 142.250.186.42, 172.217.18.106, 142.250.184.234, 172.217.23.106, 172.217.16.202, 216.58.206.42, 142.250.184.202, 142.250.186.106, 172.217.16.131, 142.250.186.131, 142.250.185.202, 142.250.185.138, 172.217.16.138, 142.250.185.106, 142.250.185.170, 142.250.185.74, 216.58.212.138, 199.232.210.172, 192.229.221.95, 142.250.186.163, 108.177.15.84, 142.250.185.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://www.coolcatalogue.eu/np/cool2024/hu/files/content-page/55a9d7862d5de5084903c7ae3adf5dff.zip	Get hash	malicious	Unknown	Browse
	https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_ios	Get hash	malicious	Unknown	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Fglossydollyknock.com%2Fw4n3hka2p6%3Fkey%3D4adf7f60948fc97f20eb71a37f488b68%26fbclid%3DIwZXh0bgNhZW0CMTAAAR2sWCkriUyPdlHfdRTPbCt2g8yn2B0gn49apZn-9YDDT6mmSsMKBb63wBg_aem_LHXLb0b6XyEafa9vMdu15Q&h=AT3Q5pc4JYuZUEyX8rr8abFazLnrJX82c0Mzs4joBZygkyzWKVOG4MfAjLuQ9vGazIv4IV-N-QhihzSx2jrkeAjehZSm2YhcT1T0Hz7uxtZvtRIbuTkA_Am76OeQhuopaQ&__tn__=R%5D-R&c%5B0%5D=AT0B8CUrOUWDDhBkBSoY_sR_Q2IdaQRs5o-hIRLRUlMk669issrBSNbduA-V2UNVUT_XZ9QJcwePs_4iUMdBe8WDu2kbum__cQyKqnoqtSz4-dHASRwGlJAYUngRXsgxmoYUj9q1YNGw0-hNPPtRpfV-WyB5ptMMsMbm355vN9Vz8k6D9ZXB_vjILzh8k0OO_w_zawh-IINi5cndpF3-4aGCWeoOMMG3q1NB8mKT_pQljubmHEwtBLrB3RTViT2btvA	Get hash	malicious	Anonymous Proxy	Browse
	http://ek21-cl.asp.cuenote.jp/c/pvwyaadfke3Lf8bG	Get hash	malicious	Unknown	Browse
	https://www.canva.com/design/DAGSL2lLp_4/lQGTdiRa89y3fkgkaFc-uQ/edit?utm_content=DAGSL2lLp_4&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://u47214858.ct.sendgrid.net/ls/click?upn=u001.c4dv-2BqJoebtefwT8NPLgxJhEAMFjIETH3I3Q8CNmlUyiUmttbZn0qPd3YBU1FvM-2FTPZQ0Ny-2FjdR-2FE-2F7zRj1y6P-2FWlxAyLuXYXbYHvhJ5g8KGiVmaicte80xV-2Bl3IZC9tXXFR_qqk8pzmFTqXgUqmijN8NLgkwBDr0C-2Barb6A8p6EP2vzfFIYXQXZPUsC69-2F89CrBr6pqEhlk-2Bm2kXZ9T2yO-2F2wXq53tvBzsea7EyzJ8-2FeaRjYTKe8296LUx3dR165pmE81l4ZlyCckh6XAStB7X6mpZG1eDt2Z2hE9lreTf4zUu15BHkFWIQD6l06j98sSmxefpIhKrPbp1sHqorvnsLfTlqgy97iDW5x7jEFHBjvW3kB67l3ddnWvdhOAQtXJjvxkBTHzOZ1xmNB-2F-2BJv2yxw-2BZ118sFXhzW7kT0jCD4nVA53ptg-2FlDPfE3xlZZV9CMctrTJ1N8IAj5d062XIpZOe3B3qxw6lRc-2FlE4u0JOetbEvf0rjlMWcXfPEqpotI-2F2oVP9HyepyGLoftfNEm6SwBOFPsaNp7O-2BtHor7tHsI-2B0toVkv4rP0i-2Br0nrtV4hMR-2FdhpHoJiQMDnEQt4HkwhputltaAXkVwiAgeKUBKMe5BZPlwbFaY695vWxuBA8sXYlfIlA2nH2OTZtq4olwBYb-2B2OH7O0v7kh9lZbdG-2FR7aHKFdYLoQNSTKRWoXOCWruqXPTLLwScg4q6t45M9fA06bOcDeidFPVNDK-2FWFzDkHMQLFcxNpkS3T2MKWPAPYmVVSF-2FYvR-2FCjme44RBe4WqMVRDyINtH-2BCgXVuhmhyhlxqnQJQ3khWyNBODdBzIgWx7SJHQER1-2BQIENitwqgFbxnEHVgdtauGxq3b7b9C-2BkO-2BOeMHOIaRwA-2BSx45dj5rG-2BfMrbH9xwp2AcUmYUCFe15mQPKLSUbdkG53z-2BRi6KQYCNPyauzai9f2rlpGdEnSU7g8yhbiAHqaWchhGFREcCHEMvyZXxkCNwEjj7wKionbQnEVTNY1chMS4frV68nYnZpRS4eFq1F-2BziFy5Fu7I-2BEGiv2g-3D-3D	Get hash	malicious	Unknown	Browse
	https://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_details	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://abby-gatenby.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVNucEJVREU9JnVpZD1VU0VSMDMwOTIwMjRVNDYwOTAzMDE=N0123N	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://www.coolcatalogue.eu/np/cool2024/hu/files/content-page/55a9d7862d5de5084903c7ae3adf5dff.zip	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_ios	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://l.facebook.com/l.php?u=https%3A%2F%2Fglossydollyknock.com%2Fw4n3hka2p6%3Fkey%3D4adf7f60948fc97f20eb71a37f488b68%26fbclid%3DIwZXh0bgNhZW0CMTAAAR2sWCkriUyPdlHfdRTPbCt2g8yn2B0gn49apZn-9YDDT6mmSsMKBb63wBg_aem_LHXLb0b6XyEafa9vMdu15Q&h=AT3Q5pc4JYuZUEyX8rr8abFazLnrJX82c0Mzs4joBZygkyzWKVOG4MfAjLuQ9vGazIv4IV-N-QhihzSx2jrkeAjehZSm2YhcT1T0Hz7uxtZvtRIbuTkA_Am76OeQhuopaQ&__tn__=R%5D-R&c%5B0%5D=AT0B8CUrOUWDDhBkBSoY_sR_Q2IdaQRs5o-hIRLRUlMk669issrBSNbduA-V2UNVUT_XZ9QJcwePs_4iUMdBe8WDu2kbum__cQyKqnoqtSz4-dHASRwGlJAYUngRXsgxmoYUj9q1YNGw0-hNPPtRpfV-WyB5ptMMsMbm355vN9Vz8k6D9ZXB_vjILzh8k0OO_w_zawh-IINi5cndpF3-4aGCWeoOMMG3q1NB8mKT_pQljubmHEwtBLrB3RTViT2btvA	Get hash	malicious	Anonymous Proxy	Browse	4.175.87.197 184.28.90.27
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_details	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://abby-gatenby.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVNucEJVREU9JnVpZD1VU0VSMDMwOTIwMjRVNDYwOTAzMDE=N0123N	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://www.afghanhayatrestaurant.com.au/	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 08:22:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9776390429418176
Encrypted:	false
SSDEEP:	48:8SdATkCjdHiwidAKZdA19ehwiZUklqeh2y+3:8x7jYeBy
MD5:	940BCC7AF6DEFF902039966DF8BE043B
SHA1:	CAED3948ECCA93D28B98B7208F4C9ACFD413F0CD
SHA-256:	342D7CACADCE0F1F06109C3353653515FB77597A3516ACA721C80BE3AC74B358
SHA-512:	02F26B29ECD4D8A7B98AE841F0104FE51C4B5DD86963E8F9D484FCE8477F17F0906AD1331F1BBC9CB43F43467B3B2A31ED96F7ADDD3788AB339054AFA0E97D34
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....w......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 08:22:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.993335576468466
Encrypted:	false
SSDEEP:	48:8udATkCjdHiwidAKZdA1weh/iZUkAQkqehxy+2:8V7jY89QEy
MD5:	B6B242D6706A331C0A3F3604376581B2
SHA1:	B7CA618F1F7FD73B17B25E1D310D3FE2D50FEA3D
SHA-256:	736817128D349D60FE358C1E326DB191B2A2862B03D01E88C043EF7FFA8B584E
SHA-512:	BA73B2C988EFB79A3E1FC1810663FCDAB1F389AD001F56D53FB1FA5A2CC76A9EF4C78F55731CBC6D4CB02AC0798F90B7F2CB6FE3B0B992E7E431609CCD197752
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.003903412362401
Encrypted:	false
SSDEEP:	48:8xxdATkCjsHiwidAKZdA14tseh7sFiZUkmgqeh7sny+BX:8xs7j1Undy
MD5:	1DF6706F951B1D21487327BDC84697D9
SHA1:	246D5F1C82E0AA519BF1B2AB5F9566C77D81A295
SHA-256:	BDE260F104976F19250E4F437BD7CA9A27951C5E44BCB3368A83110EC3416064
SHA-512:	10487F191CEAB7248DA42D47F8377DCEFEBCC9C0949F443A5DB8B2911EE8FFDB79BC994ECB6D763AFC2FA32BC7607DC22CDCBE20C810E8C8F6FADDE4335D6D25
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 08:22:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.99249522292948
Encrypted:	false
SSDEEP:	48:88dATkCjdHiwidAKZdA1vehDiZUkwqehFy+R:8/7jYHvy
MD5:	ACD73920445A424CB6643C673D3054D9
SHA1:	1BC730139D6152DA291728007284186EE111D62D
SHA-256:	C338419B79E7515C837BC3330D90F26F0FC11E17151B98857D672AEADC1047A5
SHA-512:	1B287429C523654EB4C0EAC8659D54996AD5E92FE680DF5D00B6071BFB0F31957503D54F87AB09D4DEBD51354745791970F17DD73A487771A84AE3FF41029B19
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....4......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 08:22:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9810893587496285
Encrypted:	false
SSDEEP:	48:82dATkCjdHiwidAKZdA1hehBiZUk1W1qehTy+C:8d7jY39zy
MD5:	32A0EC6E854F47F883D50CA8090D5813
SHA1:	B99E2EA61C2C21D11D0600905B472EC46057FBFD
SHA-256:	8AD133ECF6DCC553E88953A8C783AC252E322F3E45F5F47F81776D1325942516
SHA-512:	5D3BFC7F7FECDD299055B300BB08EF5CDC7328494DA7C0443034B98B2B410CFF67F8A7FC5EFDACE3A2333EE17805571DCFF3AB231A6C6972768048E4CB3B4B7E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 08:22:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9912032426789814
Encrypted:	false
SSDEEP:	48:8qdATkCjdHiwidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbdy+yT+:8p7jY/T/TbxWOvTbdy7T
MD5:	6488B50C55BA86A6DF572013FA538983
SHA1:	3D8220D2AA452201C06153BEAFB4921E4BC81205
SHA-256:	50A9FFE4B07A6E3979E9B5F80E4003CC2CF01DD21DD58CD971A0718411387B2B
SHA-512:	9341D8757AD65C0DBA75281DFD6A056BB3F634B9A3AD74E02E08F9A857775DA12652EA86A25FDDB61B889A37BEA00F2D6CD092F28C341A70AC1314C04531F8DA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....=.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............XL.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 104

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 105

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789949489744101
Encrypted:	false
SSDEEP:	3072:x0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:xlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	036BC6CEC1912EAA63C716C2A7494AFC
SHA1:	C32891F55B0D7A86DCE1BDBB7B84DB21C2A09F4F
SHA-256:	1A6181C3DFAEE5919CE57152DCFFCDC4B151C5FB2969CFD62168C1711FF202CF
SHA-512:	0AAA2285D109114921B5FD8A15F9A3D1F218AF8C61054B3925965E6753F8A49B45798326EA986C4A6B6180B6C36292A4652E2BA730C7505684DAAA4B5C314675
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGsNipZrCRRMFQh1-tVmHSsIDzQTA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 106

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5797761241913
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	873bd04e24ffd5ff03c7cbcb0390619b
SHA1:	3d72d99e3bd8ef83e3d156e08f4d66f83053064e
SHA256:	02a9704a3a661c5c01658ecba3156cf65924af152948a3006f0c4b7b37024913
SHA512:	8c632c03c1600a52d8a5e12d87094644cd7672915e43e1438419cd2177cddf38e452f3a36c2f20c044a5f1b146a1e7605d1f2a7c29dcdceb4ad9b1c2bee9531e
SSDEEP:	12288:gqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTy:gqDEvCTbMWu7rQYlBQcBiT6rprG8a4y
TLSH:	D9159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FBBCBC [Tue Oct 1 09:11:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD0E47B0DC3h
jmp 00007FD0E47B06CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD0E47B08ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD0E47B087Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD0E47B346Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD0E47B34B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD0E47B34A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	8b6df623cea438bbea066d1ca6a31242	False	0.2860416666666667	data	5.1643975005276275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x874	data			1.005083179297597
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 11:22:54.511356115 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:22:54.511357069 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:22:54.605093956 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:22:58.632746935 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:58.632796049 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:58.632852077 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:58.634234905 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:58.634249926 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.270406008 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.270934105 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.270952940 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.271382093 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.271454096 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.272434950 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.272486925 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.275137901 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.275223970 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.276036024 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.276042938 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.320480108 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.554029942 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.554801941 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.554856062 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.555243969 CEST	49706	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:22:59.555262089 CEST	443	49706	142.250.186.174	192.168.2.5
Oct 1, 2024 11:22:59.565962076 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.570744991 CEST	53	49712	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.570802927 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.570867062 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.570878983 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.570967913 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.571228027 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:22:59.571288109 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:22:59.571352959 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:22:59.571584940 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:22:59.571614981 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:22:59.575694084 CEST	53	49712	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.575707912 CEST	53	49712	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.618994951 CEST	53	49712	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.943224907 CEST	53	49712	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.943284988 CEST	49712	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:00.200097084 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.200392962 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.200417042 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.200872898 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.200944901 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.201602936 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.201659918 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.202701092 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.202771902 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.202902079 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.202919006 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.246510029 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.523499966 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.523519039 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.523581028 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.523612022 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.524183989 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.525753021 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.525779009 CEST	443	49713	142.250.185.238	192.168.2.5
Oct 1, 2024 11:23:00.525801897 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:00.525829077 CEST	49713	443	192.168.2.5	142.250.185.238
Oct 1, 2024 11:23:02.864995003 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:02.865032911 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:02.865096092 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:02.865314007 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:02.865324974 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.617789030 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:03.617882013 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:03.617971897 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:03.619685888 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:03.619739056 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:03.620018959 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.620222092 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:03.620234013 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.621140003 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.621191025 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:03.622162104 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:03.622216940 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.668139935 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:03.668145895 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:03.714348078 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:04.121625900 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:23:04.121653080 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:23:04.218061924 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:23:04.279167891 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:04.279273033 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:04.283531904 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:04.283562899 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:04.283987045 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:04.327471972 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:04.328051090 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:04.375442982 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.498395920 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.498547077 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.498634100 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.498724937 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.498759985 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.498759985 CEST	49722	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.498781919 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.498799086 CEST	443	49722	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.547971010 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.548033953 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.548271894 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.548538923 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:05.548573017 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:05.865281105 CEST	443	49705	23.1.237.91	192.168.2.5
Oct 1, 2024 11:23:05.866132975 CEST	49705	443	192.168.2.5	23.1.237.91
Oct 1, 2024 11:23:06.190824032 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.190907001 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.192373991 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.192400932 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.192747116 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.193953991 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.239398956 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.463690042 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.463835955 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.463912010 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.583746910 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.583794117 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:06.583822966 CEST	49729	443	192.168.2.5	184.28.90.27
Oct 1, 2024 11:23:06.583838940 CEST	443	49729	184.28.90.27	192.168.2.5
Oct 1, 2024 11:23:08.110574007 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.110615969 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.110703945 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.111931086 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.111949921 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.770622015 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.771059036 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.771087885 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.771522999 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.771583080 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.772237062 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.772281885 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.773327112 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.773392916 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.773592949 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:08.773602009 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:08.824368954 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.088547945 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.088649988 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.088686943 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.088706017 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.088752985 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.088782072 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.094446898 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.094526052 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.094547033 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.100708961 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.100744009 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.100766897 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.100783110 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.100918055 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.106980085 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.107042074 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.113585949 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.113621950 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.113646030 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.113660097 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.113867998 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.161688089 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.161726952 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.161940098 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.162530899 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.162545919 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.179466963 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.179516077 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.179543972 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.179558039 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.179577112 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.179624081 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.179639101 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.179692030 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.188255072 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.188302040 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.188328981 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.188344002 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.189845085 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.189909935 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.189924955 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.189971924 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.195907116 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.195982933 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.196108103 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.202214956 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.203522921 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.203537941 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.208880901 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.209055901 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.209131956 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.209270954 CEST	49736	443	192.168.2.5	142.250.186.174
Oct 1, 2024 11:23:09.209299088 CEST	443	49736	142.250.186.174	192.168.2.5
Oct 1, 2024 11:23:09.226708889 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.226748943 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.226823092 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.227238894 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.227252007 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.796348095 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.796643019 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.796658039 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.797039032 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.797106981 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.797759056 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.797816992 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.798846960 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.798912048 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.799051046 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.839728117 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.839736938 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.876281023 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.876430988 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.876451015 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.876976013 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.877027988 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.877721071 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.877763987 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.878669977 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.878750086 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.878978968 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.888566971 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.920536995 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:09.920545101 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:09.966239929 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.329571962 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.329696894 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.329794884 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.330075979 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.330250025 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.330300093 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.330331087 CEST	49739	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.330347061 CEST	443	49739	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.330673933 CEST	49740	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.330688000 CEST	443	49740	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.331444025 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.331474066 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.331784964 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.332695007 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.332802057 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.333139896 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.333159924 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.333190918 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.333858013 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.333908081 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.960325956 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.960541010 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.960557938 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.960975885 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.961035013 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.961705923 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.961755037 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.961894035 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.961950064 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.962021112 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.962028027 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.962038994 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.980655909 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.980947971 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.980998039 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.981324911 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.981405973 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.981921911 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.981977940 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.982116938 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.982177019 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.982309103 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:10.982331038 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:10.982367992 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.007405043 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.013689995 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.027411938 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.028898001 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.153589964 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.153883934 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.153934002 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.155442953 CEST	49744	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.155457973 CEST	443	49744	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.178194046 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.178317070 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.178391933 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.179116964 CEST	49745	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:11.179142952 CEST	443	49745	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:11.789056063 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:11.835405111 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077871084 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077908039 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077930927 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077958107 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:12.077959061 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077976942 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.077992916 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:12.078224897 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:12.078268051 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:12.084167957 CEST	49718	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:23:12.084177017 CEST	443	49718	142.250.184.196	192.168.2.5
Oct 1, 2024 11:23:14.578275919 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:14.578352928 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:14.578450918 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:14.579535007 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:14.579579115 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:15.398638964 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:15.398752928 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:15.400420904 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:15.400444031 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:15.400696039 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:15.448959112 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:15.929692030 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:15.975399017 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199033022 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199053049 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199059963 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199069977 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199105024 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199136019 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.199174881 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199203014 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.199228048 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.199291945 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199353933 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.199398994 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.199523926 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.201533079 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.918236971 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.918294907 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:16.918329954 CEST	49752	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:16.918363094 CEST	443	49752	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:17.093992949 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.094019890 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.094079971 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.094482899 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.094494104 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.734832048 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.739161015 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.739172935 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.739597082 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.754199028 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.754282951 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.754359961 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.754359961 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:17.754388094 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:17.795160055 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:18.046693087 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:18.046916962 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:18.047066927 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:18.049458981 CEST	49759	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:18.049474955 CEST	443	49759	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:39.265388012 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:39.265433073 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:39.265525103 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:39.265826941 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:39.265844107 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.140162945 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.140196085 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.140266895 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.140584946 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.140602112 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.610160112 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.610202074 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.610270977 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.624361038 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.624377966 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.775799990 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.776089907 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.776106119 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.776484013 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.776833057 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.776905060 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.777090073 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.777126074 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.777138948 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.785058022 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.785270929 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.785281897 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.785600901 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.785897970 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.785958052 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:40.786035061 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.786056042 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:40.786065102 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.055255890 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.056237936 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.056307077 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.056401968 CEST	49760	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.056421041 CEST	443	49760	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.062206030 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.062325001 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.062396049 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.062551975 CEST	49761	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.062571049 CEST	443	49761	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.426552057 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.426821947 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.426840067 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.427155972 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.427217007 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.427781105 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.427831888 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.427970886 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.428029060 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.428111076 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.428119898 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.428137064 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.468195915 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.468202114 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.626626968 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.626745939 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:41.626808882 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.627315044 CEST	49762	443	192.168.2.5	142.250.185.78
Oct 1, 2024 11:23:41.627335072 CEST	443	49762	142.250.185.78	192.168.2.5
Oct 1, 2024 11:23:53.266092062 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:53.266196012 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:53.266293049 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:53.266612053 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:53.266649008 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.079186916 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.079377890 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.082838058 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.082879066 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.083122015 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.095437050 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.139435053 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.423779011 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.423804045 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.423819065 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.423903942 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.423937082 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.423991919 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.424964905 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.425000906 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.425056934 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.425056934 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.425076962 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.425293922 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.425343990 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.428231955 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.428261042 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:23:54.428287029 CEST	49763	443	192.168.2.5	4.175.87.197
Oct 1, 2024 11:23:54.428301096 CEST	443	49763	4.175.87.197	192.168.2.5
Oct 1, 2024 11:24:02.937829971 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:02.937861919 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:02.937930107 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:02.945141077 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:02.945158005 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:03.599086046 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:03.599354029 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:03.599387884 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:03.600111008 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:03.600514889 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:03.600584984 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:03.652414083 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:10.309933901 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.309993982 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.310061932 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.310272932 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.310288906 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.423042059 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.423122883 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.423197031 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.423441887 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.423476934 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.977350950 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.977627993 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.977652073 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.977963924 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.978238106 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.978293896 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:10.978393078 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.978415012 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:10.978425980 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.054718971 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.054975033 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.055016041 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.055336952 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.055699110 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.055764914 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.055871964 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.055908918 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.055921078 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.280872107 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.281558037 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.281620979 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.281913042 CEST	49767	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.281939030 CEST	443	49767	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.353821993 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.354351997 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:11.354428053 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.354547977 CEST	49768	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:11.354578972 CEST	443	49768	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:13.502074003 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:13.502136946 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:13.502185106 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:26.293848991 CEST	49765	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:24:26.293876886 CEST	443	49765	142.250.184.196	192.168.2.5
Oct 1, 2024 11:24:40.455096006 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:40.455223083 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:40.455440044 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:40.455745935 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:40.455784082 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.118158102 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.118544102 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.118603945 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.119183064 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.119481087 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.119574070 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.119623899 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.119657993 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.119673014 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.424499035 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.424727917 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:41.424840927 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.426106930 CEST	49770	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:41.426162958 CEST	443	49770	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:43.690613031 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:43.690709114 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:43.690804958 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:43.691224098 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:43.691261053 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.402151108 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.402549028 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.402616978 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.402954102 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.403228998 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.403304100 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.403379917 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.403450012 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.403465033 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.700850010 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.701265097 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:24:44.701385975 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.701692104 CEST	49771	443	192.168.2.5	142.250.185.174
Oct 1, 2024 11:24:44.701730967 CEST	443	49771	142.250.185.174	192.168.2.5
Oct 1, 2024 11:25:02.981754065 CEST	49772	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:25:02.981786966 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:02.981868029 CEST	49772	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:25:02.982146025 CEST	49772	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:25:02.982160091 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:03.610897064 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:03.611195087 CEST	49772	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:25:03.611208916 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:03.611546040 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:03.611860037 CEST	49772	443	192.168.2.5	142.250.184.196
Oct 1, 2024 11:25:03.611917973 CEST	443	49772	142.250.184.196	192.168.2.5
Oct 1, 2024 11:25:03.651891947 CEST	49772	443	192.168.2.5	142.250.184.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 11:22:58.526650906 CEST	53692	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:58.526797056 CEST	58767	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:58.533720016 CEST	53	53692	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:58.536048889 CEST	53	58767	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:58.634090900 CEST	53	63115	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:58.641319036 CEST	53	51748	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.557899952 CEST	50367	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.558051109 CEST	59881	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:22:59.565417051 CEST	53	50367	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.565598011 CEST	53	59881	1.1.1.1	192.168.2.5
Oct 1, 2024 11:22:59.644629955 CEST	53	57201	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:02.857537031 CEST	64737	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:02.857656002 CEST	56100	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:02.864120960 CEST	53	56100	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:02.864350080 CEST	53	64737	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:03.099848986 CEST	53	58907	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:05.451714993 CEST	53	65141	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:08.101871967 CEST	63227	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:08.102051973 CEST	57061	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:08.108783007 CEST	53	63227	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:08.109519958 CEST	53	57061	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:09.153630018 CEST	53019	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:09.154174089 CEST	51395	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:23:09.160825014 CEST	53	51395	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:09.160862923 CEST	53	53019	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:16.633513927 CEST	53	63997	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:35.521640062 CEST	53	54920	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:58.223577023 CEST	53	49302	1.1.1.1	192.168.2.5
Oct 1, 2024 11:23:58.949251890 CEST	53	54634	1.1.1.1	192.168.2.5
Oct 1, 2024 11:24:10.117672920 CEST	53	49193	1.1.1.1	192.168.2.5
Oct 1, 2024 11:24:10.301954031 CEST	54833	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:24:10.302242994 CEST	64212	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:24:10.309210062 CEST	53	54833	1.1.1.1	192.168.2.5
Oct 1, 2024 11:24:10.309499979 CEST	53	64212	1.1.1.1	192.168.2.5
Oct 1, 2024 11:24:26.421531916 CEST	53	58829	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 11:22:58.526650906 CEST	192.168.2.5	1.1.1.1	0x4df7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:58.526797056 CEST	192.168.2.5	1.1.1.1	0x8996	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 11:22:59.557899952 CEST	192.168.2.5	1.1.1.1	0xc01e	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.558051109 CEST	192.168.2.5	1.1.1.1	0x18c0	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 11:23:02.857537031 CEST	192.168.2.5	1.1.1.1	0x5be7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:02.857656002 CEST	192.168.2.5	1.1.1.1	0x9fc6	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 11:23:08.101871967 CEST	192.168.2.5	1.1.1.1	0x9835	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:08.102051973 CEST	192.168.2.5	1.1.1.1	0xb302	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 11:23:09.153630018 CEST	192.168.2.5	1.1.1.1	0x3d1c	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:09.154174089 CEST	192.168.2.5	1.1.1.1	0x7e8c	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 11:24:10.301954031 CEST	192.168.2.5	1.1.1.1	0x2ad4	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:24:10.302242994 CEST	192.168.2.5	1.1.1.1	0xdeca	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 11:22:58.533720016 CEST	1.1.1.1	192.168.2.5	0x4df7	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:58.536048889 CEST	1.1.1.1	192.168.2.5	0x8996	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:22:59.565417051 CEST	1.1.1.1	192.168.2.5	0xc01e	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:02.864120960 CEST	1.1.1.1	192.168.2.5	0x9fc6	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 11:23:02.864350080 CEST	1.1.1.1	192.168.2.5	0x5be7	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:08.108783007 CEST	1.1.1.1	192.168.2.5	0x9835	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 11:23:08.108783007 CEST	1.1.1.1	192.168.2.5	0x9835	No error (0)	www3.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:23:08.109519958 CEST	1.1.1.1	192.168.2.5	0xb302	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 11:23:09.160862923 CEST	1.1.1.1	192.168.2.5	0x3d1c	No error (0)	play.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 11:24:10.309210062 CEST	1.1.1.1	192.168.2.5	0x2ad4	No error (0)	play.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	142.250.186.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:22:59 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:22:59 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 09:22:59 GMT Date: Tue, 01 Oct 2024 09:22:59 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	142.250.185.238	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:00 UTC	877	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:00 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 09:23:00 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 09:53:00 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=uZmMwtbP6HM; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=Z92yyWPzZYc; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 09:23:00 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgNw%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 09:23:00 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:04 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 09:23:05 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=199365 Date: Tue, 01 Oct 2024 09:23:05 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49729	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 09:23:06 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=199308 Date: Tue, 01 Oct 2024 09:23:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 09:23:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49736	142.250.186.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:08 UTC	1245	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1657688464&timestamp=1727774586939 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:09 UTC	1959	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce--kYWfyat_6pe-J_mWd3ooA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 09:23:08 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtDikmLw0JBikPj6kkkLiJ3SZ7CGAHHSv_OsJUB8ufsS63UgLpK4wtoCxEI8HH_-vdvOJrBg5aHzzEp6SfmF8ZkpqXklmSWVKfm5iZl5yfn52ZmpxcWpRWWpRfFGBkYmBpZGRnoGFvEFBgCWqCsL" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 2d 6b 59 57 66 79 61 74 5f 36 70 65 2d 4a 5f 6d 57 64 33 6f 6f 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="-kYWfyat_6pe-J_mWd3ooA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 5b 31 5d 29 69 66 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 Data Ascii: [1])if(b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 7d 2c 49 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 Data Ascii: },Ia=function(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 74 6f 4a 53 4f 4e 28 29 3a 49 61 28 61 29 7d 2c 53 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c Data Ascii: toJSON():Ia(a)},Sa=function(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 2b 28 66 7c 7c 22 22 29 2b 22 5f 22 2b 64 2b 2b 2c 66 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 Data Ascii: +(f\|\|"")+"_"+d++,f)};return e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){va
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 Data Ascii: }())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=functi
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f Data Ascii: ;c.prototype.values=function(){return e(this,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=functio
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 62 29 3f 62 3d 3d 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 62 29 3a 21 31 7d 7d 29 3b 47 28 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 Data Ascii: urn Number.isFinite(b)?b===Math.floor(b):!1}});G("Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 72 20 78 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 7c 7c 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 Data Ascii: r xa=function(a,b){a.__closure__error__context__984382\|\|(a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f
2024-10-01 09:23:09 UTC	1959	IN	Data Raw: 20 66 3d 64 5b 65 5d 3b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 66 29 7b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 66 3d 66 3f 22 6f 62 6a 65 63 74 22 3a 22 6e 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 Data Ascii: f=d[e];switch(typeof f){case "object":f=f?"object":"null";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"..."

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49739	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:10 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49740	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:10 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:10 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49744	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:10 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:10 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 35 38 37 39 39 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774587995",null,null,null
2024-10-01 09:23:11 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Zwuff34UYbHy0wo2CUuqjNx0l4rEwP9wNCmt4cIaEwdLjOVqN0jDkphbR-aqX-bs61vHVY1Ri-8BtHXID03XJUDsgbbavhkoWPuLejJQPsZsArAvKcKKgWA3YrHVjGr_g1zALEU9nzNCkzKy4rywuPEHR6x1aRiTP8wePm1lfK3ZCBokzWk; expires=Wed, 02-Apr-2025 09:23:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 09:23:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49745	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:10 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 09:23:10 UTC	507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 35 38 38 30 37 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774588071",null,null,null
2024-10-01 09:23:11 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=coBcBVG9IM4bv2qWDEh-GzhsCax3AiA8AzVmH3vx3q0oxqIfE60rDRsvmuQfahm_0DCyjVs2AFhgBL3toiLFVNwmwUdenTcD7-1YTlXIn-D75Uw0T74U07bwIGfuRzC4jB63u9pmozzjZ3ZZJHWyDweE2ziQigr7RdpK5XoACwCnaq4VAFc; expires=Wed, 02-Apr-2025 09:23:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 09:23:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49718	142.250.184.196	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:11 UTC	1222	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=coBcBVG9IM4bv2qWDEh-GzhsCax3AiA8AzVmH3vx3q0oxqIfE60rDRsvmuQfahm_0DCyjVs2AFhgBL3toiLFVNwmwUdenTcD7-1YTlXIn-D75Uw0T74U07bwIGfuRzC4jB63u9pmozzjZ3ZZJHWyDweE2ziQigr7RdpK5XoACwCnaq4VAFc
2024-10-01 09:23:12 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 08:35:30 GMT Expires: Wed, 09 Oct 2024 08:35:30 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 2861 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 09:23:12 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 09:23:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-01 09:23:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 09:23:12 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-01 09:23:12 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49752	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Xs4WY7FdaVPvhWh&MD=wOc4etHu HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 09:23:16 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 097b133b-74c3-4ed9-a43c-d328500e5a54 MS-RequestId: 8bef8993-cc23-47e7-972a-a7be1d677e25 MS-CV: 2dJ9kTjUeEqKxauV.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 09:23:15 GMT Connection: close Content-Length: 24490
2024-10-01 09:23:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 09:23:16 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49759	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:17 UTC	1307	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1215 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=coBcBVG9IM4bv2qWDEh-GzhsCax3AiA8AzVmH3vx3q0oxqIfE60rDRsvmuQfahm_0DCyjVs2AFhgBL3toiLFVNwmwUdenTcD7-1YTlXIn-D75Uw0T74U07bwIGfuRzC4jB63u9pmozzjZ3ZZJHWyDweE2ziQigr7RdpK5XoACwCnaq4VAFc
2024-10-01 09:23:17 UTC	1215	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 37 34 35 38 35 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727774585000",null,null,null,
2024-10-01 09:23:18 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc; expires=Wed, 02-Apr-2025 09:23:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 09:23:17 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:18 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49760	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:40 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1264 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:23:40 UTC	1264	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 31 38 31 30 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774618109",null,null,null
2024-10-01 09:23:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49761	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:40 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1362 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:23:40 UTC	1362	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 31 38 39 38 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774618984",null,null,null
2024-10-01 09:23:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49762	142.250.185.78	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:41 UTC	1298	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1038 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:23:41 UTC	1038	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-01 09:23:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:23:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:23:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:23:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49763	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:23:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Xs4WY7FdaVPvhWh&MD=wOc4etHu HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 09:23:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: c3aed595-5dd8-4b13-bd74-784ae1d6d8a6 MS-RequestId: 0a16095d-11d0-44f0-8042-c9c8e6b815c0 MS-CV: kzjUC49+rUy9b93G.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 09:23:53 GMT Connection: close Content-Length: 30005
2024-10-01 09:23:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 09:23:54 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49767	142.250.185.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:24:10 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1285 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:24:10 UTC	1285	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 34 39 31 35 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774649155",null,null,null
2024-10-01 09:24:11 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:24:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:24:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:24:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49768	142.250.185.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:24:11 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1272 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:24:11 UTC	1272	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 34 39 32 37 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774649277",null,null,null
2024-10-01 09:24:11 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:24:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:24:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:24:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49770	142.250.185.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:24:41 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1176 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:24:41 UTC	1176	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 37 39 33 30 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774679307",null,null,null
2024-10-01 09:24:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:24:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:24:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:24:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49771	142.250.185.174	443	5720	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:24:44 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1272 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=1MTzmPYGGAPdPmt18eXUhQWA8BRR21PvS8QTatjCWaFpLunTIdZImx51D-9fjBnMQ8r68L2Wpi3RV4EJaLamC1PLOf0GnXNEXqbqJMMCyPmSoDrvkp5VesFrdRyL0J93oC_ZFP57_eGQMVagVMgyhurIE_K4bvmhoL8rRjsAsf2ZaWfOrWHn6wjBHhc
2024-10-01 09:24:44 UTC	1272	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 37 34 36 38 32 35 34 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727774682544",null,null,null
2024-10-01 09:24:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 09:24:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 09:24:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 09:24:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:22:56
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x820000
File size:	917'504 bytes
MD5 hash:	873BD04E24FFD5FF03C7CBCB0390619B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:22:56
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:22:56
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:23:08
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:23:08
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1988,i,2673826556908286864,11684377215741503377,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1449
Total number of Limit Nodes:	52

Executed Functions

Function 008242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0082430D

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

GetCurrentProcess.KERNEL32(?,008BCB64,00000000,?,?), ref: 00824422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00824429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00824454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00824466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00824474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0082447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008244A0

Strings

|O, xrefs: 008636F8
kernel32.dll, xrefs: 0082444F
GetNativeSystemInfo, xrefs: 00824460

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9b2a3f859c2f214b279cd040f01edc874c6b4b3c93779191e1fd6bbf9bfe7125
Instruction ID: 6620439c469568b439c75b4d7b1f4b0282fbb83ed60b3ddd0331295b852431c7
Opcode Fuzzy Hash: 9b2a3f859c2f214b279cd040f01edc874c6b4b3c93779191e1fd6bbf9bfe7125
Instruction Fuzzy Hash: 3CA1D36690A2D4CFCF12D77DBC499B67FE4FB36304B0858A9D081D3B22D2284548CB25

Function 008242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008250AA,?,?,00000000,00000000), ref: 008242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008250AA,?,?,00000000,00000000), ref: 008242C9
LoadResource.KERNEL32(?,00000000,?,?,008250AA,?,?,00000000,00000000,?,?,?,?,?,?,00824F20), ref: 008635BE
SizeofResource.KERNEL32(?,00000000,?,?,008250AA,?,?,00000000,00000000,?,?,?,?,?,?,00824F20), ref: 008635D3
LockResource.KERNEL32(008250AA,?,?,008250AA,?,?,00000000,00000000,?,?,?,?,?,?,00824F20,?), ref: 008635E6

Strings

SCRIPT, xrefs: 008242BF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: e1431972354002e484e454b0b6e6ecb89822238ef1ccb7ec2f36d45b513fbda9
Instruction ID: f1158c7458b1f8d5593d6deac3ac52fbd1b3430076c008452163a4fa26abbc11
Opcode Fuzzy Hash: e1431972354002e484e454b0b6e6ecb89822238ef1ccb7ec2f36d45b513fbda9
Instruction Fuzzy Hash: 36117C70240701FFDB218B66EC48F677BBAFBC5B51F104269B412D6250DBB2DC408630

Function 00862BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00822B6B

Part of subcall function 00823A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008F1418,?,00822E7F,?,?,?,00000000), ref: 00823A78

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008E2224), ref: 00862C10
ShellExecuteW.SHELL32(00000000,?,?,008E2224), ref: 00862C17

Strings

runas, xrefs: 00862C0B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b4bca730cc19354031137546d7c26c423e926df15335bf33b3870073f304a69e
Instruction ID: 1ba7dddadfd88595670ab0137debb311553ac907de8327c6454b20e05454c5c2
Opcode Fuzzy Hash: b4bca730cc19354031137546d7c26c423e926df15335bf33b3870073f304a69e
Instruction Fuzzy Hash: 0211E731104365EAC704FF78F8659BE7BA5FBA5310F44042DF182D21A2CF258689C753

Function 0088D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0088D501
Process32FirstW.KERNEL32(00000000,?), ref: 0088D50F
Process32NextW.KERNEL32(00000000,?), ref: 0088D52F
CloseHandle.KERNELBASE(00000000), ref: 0088D5DC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 53215a36ff350b169e6ac23ba7ef0e1cd1fd2c521960dd8528ce349bd541ff61
Instruction ID: e7b8cb62fcd5ef9511986840314f6378a2976ffca4c7f26900a97558ebe487b2
Opcode Fuzzy Hash: 53215a36ff350b169e6ac23ba7ef0e1cd1fd2c521960dd8528ce349bd541ff61
Instruction Fuzzy Hash: 9D3191711083009FD304EF58D885AAFBBE8FF99354F14092DF581D61A1EB719989CB93

Function 0088DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00865222), ref: 0088DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0088DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0088DBEE
FindClose.KERNEL32(00000000), ref: 0088DBFA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d3fd48753d0ad175a363b3f9d9ffa7b476a610ecc70b906b2e50862a0e336b7d
Instruction ID: 3373502db5046b004fafc9f4fda3eb0c367d4649093aa582f5fd1a9eb959b1ea
Opcode Fuzzy Hash: d3fd48753d0ad175a363b3f9d9ffa7b476a610ecc70b906b2e50862a0e336b7d
Instruction Fuzzy Hash: 7BF06531814A14578220BB7CAD0D8AA776DFF41335B544706F876D22F0EBB05D55C7D5

Function 00844CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008528E9,?,00844CBE,008528E9,008E88B8,0000000C,00844E15,008528E9,00000002,00000000,?,008528E9), ref: 00844D09
TerminateProcess.KERNEL32(00000000,?,00844CBE,008528E9,008E88B8,0000000C,00844E15,008528E9,00000002,00000000,?,008528E9), ref: 00844D10
ExitProcess.KERNEL32 ref: 00844D22

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6f848377bae4835d1f38fdb07eae0f3c0737fee0e968780550e56d9cfceefa04
Instruction ID: 96a3b89e7aff149f69637cb5ae19bda256f5516ccf0ae8ab225dfe92c8c1d2f6
Opcode Fuzzy Hash: 6f848377bae4835d1f38fdb07eae0f3c0737fee0e968780550e56d9cfceefa04
Instruction Fuzzy Hash: 23E0B631400148ABCF11AF58DD09B583BA9FB45781B504118FC16DA222CB35DD42DA80

Function 008AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 008AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008AB1D4
_wcslen.LIBCMT ref: 008AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008AB236
_wcslen.LIBCMT ref: 008AB332

Part of subcall function 008905A7: GetStdHandle.KERNEL32(000000F6), ref: 008905C6

_wcslen.LIBCMT ref: 008AB34B
_wcslen.LIBCMT ref: 008AB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008AB3B6
GetLastError.KERNEL32(00000000), ref: 008AB407
CloseHandle.KERNEL32(?), ref: 008AB439
CloseHandle.KERNEL32(00000000), ref: 008AB44A
CloseHandle.KERNEL32(00000000), ref: 008AB45C
CloseHandle.KERNEL32(00000000), ref: 008AB46E
CloseHandle.KERNEL32(?), ref: 008AB4E3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 207075490f1e02ea8f50e783ea4b1cfe58beb95bf3ccbfe939771ff3c606b341
Instruction ID: 395e69764b5b5e5b084c35b6bdcb7e3c48d770246e33fec36ef6fb9a77184055
Opcode Fuzzy Hash: 207075490f1e02ea8f50e783ea4b1cfe58beb95bf3ccbfe939771ff3c606b341
Instruction Fuzzy Hash: E0F179315082509FDB14EF28D891B6ABBE5FF86314F14855DF899DB2A2DB31EC40CB92

Function 0082D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0082D807
timeGetTime.WINMM ref: 0082DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0082DB28
TranslateMessage.USER32(?), ref: 0082DB7B
DispatchMessageW.USER32(?), ref: 0082DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0082DB9F
Sleep.KERNEL32(0000000A), ref: 0082DBB1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: af38994214f2c883b23f8ca3aa21e65c68a76c92f62ac62ffefdca48996239f1
Instruction ID: b5daea1bb536b69c069c85b9481cc6ec3f4b2793f21122b5e68994ecdf7907e6
Opcode Fuzzy Hash: af38994214f2c883b23f8ca3aa21e65c68a76c92f62ac62ffefdca48996239f1
Instruction Fuzzy Hash: 5642BF70608355DFDB25CB28D858FAABBE0FF85314F148659F49AC7291D770E884CB92

Function 00822CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00822D07
RegisterClassExW.USER32(00000030), ref: 00822D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00822D42
InitCommonControlsEx.COMCTL32(?), ref: 00822D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00822D6F
LoadIconW.USER32(000000A9), ref: 00822D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00822D94

Strings

0, xrefs: 00822CE9
TaskbarCreated, xrefs: 00822D37
AutoIt v3 GUI, xrefs: 00822D23
+, xrefs: 00822CF0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ed0eaa7039de4a5a4b80a906f7bf2ffd7942d1d9305c984ad0d30f70ab7d7687
Instruction ID: c72852e267be9722d8993afdbd51b3ca378013826157509554c4db8a1ec42a5d
Opcode Fuzzy Hash: ed0eaa7039de4a5a4b80a906f7bf2ffd7942d1d9305c984ad0d30f70ab7d7687
Instruction Fuzzy Hash: FB21C3B5A51218EFDF00DFA4E889BEDBFB4FB08700F10821AF651A62A0D7B54545CF95

Function 0086065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0086039A: CreateFileW.KERNELBASE(00000000,00000000,?,00860704,?,?,00000000,?,00860704,00000000,0000000C), ref: 008603B7

GetLastError.KERNEL32 ref: 0086076F
__dosmaperr.LIBCMT ref: 00860776
GetFileType.KERNELBASE(00000000), ref: 00860782
GetLastError.KERNEL32 ref: 0086078C
__dosmaperr.LIBCMT ref: 00860795
CloseHandle.KERNEL32(00000000), ref: 008607B5
CloseHandle.KERNEL32(?), ref: 008608FF
GetLastError.KERNEL32 ref: 00860931
__dosmaperr.LIBCMT ref: 00860938

Strings

H, xrefs: 008608BD

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 95eb76e747f68630acf7f1690be6d65eca18fa84f74717c620a64b46480d6f97
Instruction ID: 61f428b5451ac430654690734f609ab88f273bcc7ab2c4caf87ee47d67347db6
Opcode Fuzzy Hash: 95eb76e747f68630acf7f1690be6d65eca18fa84f74717c620a64b46480d6f97
Instruction Fuzzy Hash: BEA10132A142188FDF19AF68D851BAE7BA0FB06324F15015DF815EB3D2DB319912CF96

Function 0082344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00823A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008F1418,?,00822E7F,?,?,?,00000000), ref: 00823A78

Part of subcall function 00823357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00823379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0082356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0086318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008631CE
RegCloseKey.ADVAPI32(?), ref: 00863210
_wcslen.LIBCMT ref: 00863277
_wcslen.LIBCMT ref: 00863286

Strings

Include, xrefs: 00863184, 008631C5
Software\AutoIt v3\AutoIt, xrefs: 00823560
\, xrefs: 0086328C
\Include\, xrefs: 00823527

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: cc2fad94023d2417691898dee4a151f5164d84b72a17b015592eb3f3a85b40e7
Instruction ID: 223638152e5fbd8b9323ac226d0534c0713903f44a28e9409a48c2f0fb04909d
Opcode Fuzzy Hash: cc2fad94023d2417691898dee4a151f5164d84b72a17b015592eb3f3a85b40e7
Instruction Fuzzy Hash: 8F7149B14043159EC314EF69EC91DABBBE8FF95740F40092EF585C6271EB349A88CB62

Function 00822B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00822B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00822B9D
LoadIconW.USER32(00000063), ref: 00822BB3
LoadIconW.USER32(000000A4), ref: 00822BC5
LoadIconW.USER32(000000A2), ref: 00822BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00822BEF
RegisterClassExW.USER32(?), ref: 00822C40

Part of subcall function 00822CD4: GetSysColorBrush.USER32(0000000F), ref: 00822D07
Part of subcall function 00822CD4: RegisterClassExW.USER32(00000030), ref: 00822D31
Part of subcall function 00822CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00822D42
Part of subcall function 00822CD4: InitCommonControlsEx.COMCTL32(?), ref: 00822D5F
Part of subcall function 00822CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00822D6F
Part of subcall function 00822CD4: LoadIconW.USER32(000000A9), ref: 00822D85
Part of subcall function 00822CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00822D94

Strings

#, xrefs: 00822C16
AutoIt v3, xrefs: 00822C2F
0, xrefs: 00822C0F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9a549cde33834bcfb7512c5b301ef19107153687724b8be293e64062a1dd2c83
Instruction ID: 335ec54c59725a0ef6c53703b3cb40a0102ad345dcae5da3dac51fcb241adac1
Opcode Fuzzy Hash: 9a549cde33834bcfb7512c5b301ef19107153687724b8be293e64062a1dd2c83
Instruction Fuzzy Hash: 85211870E40319EBDF109FAAEC59EAA7FB4FB48B50F00411AF600A67A0D7B90544CF94

Function 00823170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0082316A,?,?), ref: 008231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0082316A,?,?), ref: 00823204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00823227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0082316A,?,?), ref: 00823232
CreatePopupMenu.USER32 ref: 00823246
PostQuitMessage.USER32(00000000), ref: 00823267

Strings

TaskbarCreated, xrefs: 0082322D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f635ae732b1abb18cc82d0042a266607ee4abf91122b06d31a20554deda59ef0
Instruction ID: 581a51043ed5ae02d37b24a7bf741f76d267f2fe25209654549e9b6d06c7e0ba
Opcode Fuzzy Hash: f635ae732b1abb18cc82d0042a266607ee4abf91122b06d31a20554deda59ef0
Instruction Fuzzy Hash: 8D410431200228E7DF151B7CAC2DF793A69FB05345F540125F642D62A2DB6ADA80D7A6

Function 00821410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00821459
CoUninitialize.COMBASE ref: 008214F8
UnregisterHotKey.USER32(?), ref: 008216DD
DestroyWindow.USER32(?), ref: 008624B9
FreeLibrary.KERNEL32(?), ref: 0086251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0086254B

Strings

close all, xrefs: 00821454

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 761c28add9fa7d33a098145879d67a8371e6cdc0f8d41fdd619813a68ef88489
Instruction ID: 04779fb5bd27c85556a9623cc4f5246788d3f85f060180c9b869ad535e49d5c2
Opcode Fuzzy Hash: 761c28add9fa7d33a098145879d67a8371e6cdc0f8d41fdd619813a68ef88489
Instruction Fuzzy Hash: 47D18E31701222CFDB29EF18D499A29F7A0FF55710F2542ADE54AEB252DB30AC52CF91

Function 00822C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00822C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00822CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00821CAD,?), ref: 00822CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00821CAD,?), ref: 00822CCF

Strings

edit, xrefs: 00822CAC
AutoIt v3, xrefs: 00822C89, 00822C8E, 00822C8F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 31a35f7c24a1f856a0a57736f137a8a71e1b5699767547a6640be651b2a84916
Instruction ID: 70ad7c9bf7791a212160772969069439f8fa7917ff4165f6e324b7ac6281e038
Opcode Fuzzy Hash: 31a35f7c24a1f856a0a57736f137a8a71e1b5699767547a6640be651b2a84916
Instruction Fuzzy Hash: 86F0DA76540290BAEB311727AC0CEB72EBDF7C7F60B10005AF900A67A0C6691854DAB4

Function 00823B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00823B0F,SwapMouseButtons,00000004,?), ref: 00823B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00823B0F,SwapMouseButtons,00000004,?), ref: 00823B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00823B0F,SwapMouseButtons,00000004,?), ref: 00823B83

Strings

Control Panel\Mouse, xrefs: 00823B3E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 37f244bbddf17368a0d756e809f87ae40d544ee79b194411139e7fa122f3ac73
Instruction ID: 82bbaf824d0c44d7d6c1a6dd89f0fe7d4407c154ca53852882964ef984317beb
Opcode Fuzzy Hash: 37f244bbddf17368a0d756e809f87ae40d544ee79b194411139e7fa122f3ac73
Instruction Fuzzy Hash: 01112AB5511218FFDB208FA5EC54AAFB7B8FF04754B104559B805D7110D2359E819B60

Function 00823923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008633A2

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00823A04

Strings

Line: , xrefs: 008633EB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3a968492a226005cdf395c338c3a8e8c3903c7092b28dfca2f1a152462e8c3f7
Instruction ID: 596d2b3cdbf66a18156418108fb8acf0c4599adf0bcdb1f4a862f67da3bc995e
Opcode Fuzzy Hash: 3a968492a226005cdf395c338c3a8e8c3903c7092b28dfca2f1a152462e8c3f7
Instruction Fuzzy Hash: 4331B271508324ABC725EB24EC59FEBB7D8FB45714F00492AF599C2291EB789688C7C3

Function 0083FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00840668

Part of subcall function 008432A4: RaiseException.KERNEL32(?,?,?,0084068A,?,008F1444,?,?,?,?,?,?,0084068A,00821129,008E8738,00821129), ref: 00843304

__CxxThrowException@8.LIBVCRUNTIME ref: 00840685

Strings

Unknown exception, xrefs: 00840692

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 85c4f5970ff0b030c451f164b11e059a3f8e8730a5d44c9f50154f820d03c114
Instruction ID: 2596e75444e88dd7f38db77f9e7b11eb5795fdca16795e3ec50fb42e74ae3ea4
Opcode Fuzzy Hash: 85c4f5970ff0b030c451f164b11e059a3f8e8730a5d44c9f50154f820d03c114
Instruction Fuzzy Hash: 91F0C83490030DB78B00B6A8DC4AC9E776CFE50314B604531BA25D5592EF71DA15CDC2

Function 008210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00821BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00821BF4
Part of subcall function 00821BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00821BFC
Part of subcall function 00821BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00821C07
Part of subcall function 00821BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00821C12
Part of subcall function 00821BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00821C1A
Part of subcall function 00821BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00821C22

Part of subcall function 00821B4A: RegisterWindowMessageW.USER32(00000004,?,008212C4), ref: 00821BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0082136A
OleInitialize.OLE32 ref: 00821388
CloseHandle.KERNEL32(00000000,00000000), ref: 008624AB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 781bbbf3a070bfd0550d82f3867d373aac9b8a125814bd2685e1acdd5385fee8
Instruction ID: 64ebfe2b15f0e5166c936f46ab28bd41d0db486434c3a3624dcd607c2fb9c4f3
Opcode Fuzzy Hash: 781bbbf3a070bfd0550d82f3867d373aac9b8a125814bd2685e1acdd5385fee8
Instruction Fuzzy Hash: CD71CEB4911204CFCF84EFBAA94DA753AE1FBAC784754823AD11AC7361EB304448CF55

Function 008586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008585CC,?,008E8CC8,0000000C), ref: 00858704
GetLastError.KERNEL32(?,008585CC,?,008E8CC8,0000000C), ref: 0085870E
__dosmaperr.LIBCMT ref: 00858739

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: c6eefef8e4ec87feabc05ad63e1b0e699527d2ec39123ad08b3c8e53d8733ba5
Instruction ID: b97b34c023b47698c8155aa9cf412030889fe5194e43e7580360d33b06076ccb
Opcode Fuzzy Hash: c6eefef8e4ec87feabc05ad63e1b0e699527d2ec39123ad08b3c8e53d8733ba5
Instruction Fuzzy Hash: 6E014C326052209BD76062385859B7F6B85FB96776F25011AEC08EB2D2DEA08C898151

Function 00831310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008317F6

Strings

CALL, xrefs: 008317C6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ab2ef2fbdfa6bff802c1e54b824ebaebb19c2eaf24f04b0371b4ae64a38c0c94
Instruction ID: ebf5a7f10f34b0b620825f8820035120bcc4af119598d361bb2fe3a0968a7720
Opcode Fuzzy Hash: ab2ef2fbdfa6bff802c1e54b824ebaebb19c2eaf24f04b0371b4ae64a38c0c94
Instruction Fuzzy Hash: 80226B706082059FCB14DF18C488A2ABBE1FFC9714F18892DF59ACB362D771E855CB92

Function 00822DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00862C8C

Part of subcall function 00823AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00823A97,?,?,00822E7F,?,?,?,00000000), ref: 00823AC2

Part of subcall function 00822DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00822DC4

Strings

X, xrefs: 00862C5A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5cb02db1bfdaed7f001a86141d3eb72d78e8aedf63680530cc3d8d86d0db0528
Instruction ID: 83f1dbeef365533db76d8a93c24a3b58f2a43b6709e62ca1db117b1699354564
Opcode Fuzzy Hash: 5cb02db1bfdaed7f001a86141d3eb72d78e8aedf63680530cc3d8d86d0db0528
Instruction Fuzzy Hash: 8D219671A002AC9FCB01EF98D845BEE7BF8FF59314F004059E505E7241EBB856898FA1

Function 00823837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00823908

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 584ffa31fdaeae2a61fb8de97742cf93f6f2dc93505477216584533babbef5ca
Instruction ID: 5bfaa5c92775a2fc03c6db9be2278732c64dd1363fa3fb1d658bb7ccc3c0429c
Opcode Fuzzy Hash: 584ffa31fdaeae2a61fb8de97742cf93f6f2dc93505477216584533babbef5ca
Instruction Fuzzy Hash: 5D315A70604311DFD721DF24E894BA6BBE8FB49708F00092EF99AC7350E775AA84CB52

Function 00824ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00824E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00824EDD,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E9C
Part of subcall function 00824E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00824EAE
Part of subcall function 00824E90: FreeLibrary.KERNEL32(00000000,?,?,00824EDD,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824EFD

Part of subcall function 00824E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00863CDE,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E62
Part of subcall function 00824E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00824E74
Part of subcall function 00824E59: FreeLibrary.KERNEL32(00000000,?,?,00863CDE,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E87

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: bdd6f7abd30d0683c8c801c35153d09ed9f7322a7bcb16e8c79ad31f0f364d7c
Instruction ID: f8bca9ad3fa220a00fc014de57b128d3f0d1fe6d3a19f3ffde79669255b6d09e
Opcode Fuzzy Hash: bdd6f7abd30d0683c8c801c35153d09ed9f7322a7bcb16e8c79ad31f0f364d7c
Instruction Fuzzy Hash: C111E731610225AADF14BB68ED02FAD77A5FF90710F10442DF542E61C1DE749E859B61

Function 00858402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00858440

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 96f565b54689ee2ec9bcada9b147a56af82ff1fd039c72d12264c2f92b31df6a
Instruction ID: aa336161d7b37ca416f3ad8b013694b46bdb9b8ff90fc1d181c67c705d614f6a
Opcode Fuzzy Hash: 96f565b54689ee2ec9bcada9b147a56af82ff1fd039c72d12264c2f92b31df6a
Instruction Fuzzy Hash: 2C11257190410AAFCB05DF58E94099A7BF9FF48314F10405AFC09EB312DA30DA158BA9

Function 00855000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854C7D: RtlAllocateHeap.NTDLL(00000008,00821129,00000000,?,00852E29,00000001,00000364,?,?,?,0084F2DE,00853863,008F1444,?,0083FDF5,?), ref: 00854CBE

_free.LIBCMT ref: 0085506C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 02166d220723790b4dbe42c3ec2211e2a3df9bcf8ce3c2be2357dc6b5a8019bc
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: FA014E72204B045BE331CF59D841A5AFBECFB85371F65051DE984D32C0EA306809C774

Function 0084E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1244d36ab5ae52e505c077b411d172770f18427aec3a916dc0092073a6fd3bb3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 16F0D132510A1C96C7313A7D9C05B5A379CFF62336F110715F825E22D2DA749809C6A6

Function 00854C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00821129,00000000,?,00852E29,00000001,00000364,?,?,?,0084F2DE,00853863,008F1444,?,0083FDF5,?), ref: 00854CBE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 652be83ae9318eb8851b165549e0f5f818374dfa6d387d8f87a54e55150fb866
Instruction ID: be0b0ad43b7253c4c45d195da51118770892b5a248bdaae436586aca8022e172
Opcode Fuzzy Hash: 652be83ae9318eb8851b165549e0f5f818374dfa6d387d8f87a54e55150fb866
Instruction Fuzzy Hash: 80F0E931602238A7DB215F769C09F5A3B88FFC17BAB146115BC15E7281CEB1DC4886E1

Function 00853820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6,?,00821129), ref: 00853852

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 449c898ab95255bde88a3de7302a4abeeda63a52249d0046d8a6290c013dd537
Instruction ID: ede5bc5cd6d5a0ad9dde0daab235c4bda22375029158486ae8798a56b6fc5631
Opcode Fuzzy Hash: 449c898ab95255bde88a3de7302a4abeeda63a52249d0046d8a6290c013dd537
Instruction Fuzzy Hash: 54E0E531100228A7D635267A9C04B9A3748FB427F7F050131BC14E3581CB91DE0581E1

Function 00824F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824F6D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 30f78501b81361d2979662facaddb8e711cb1daff2ddc3c08cd246d114cf9f6e
Instruction ID: a299dba27f7e9aa2336528dd6b919146f662e420374c4b7a773b17f6c88ad713
Opcode Fuzzy Hash: 30f78501b81361d2979662facaddb8e711cb1daff2ddc3c08cd246d114cf9f6e
Instruction Fuzzy Hash: 29F03971105762CFDB349F64E590822BBE4FF543293209A7EE2EAD2621CB319884DF20

Function 008230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0082314E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1a8351bb310fdf01cc4fcc5c87bb559b7823877b57c385fb8d34b14976a94836
Instruction ID: eec65f5a91d228c924521b69b64fadbfe9d631959d9d573db0accb53f199e209
Opcode Fuzzy Hash: 1a8351bb310fdf01cc4fcc5c87bb559b7823877b57c385fb8d34b14976a94836
Instruction Fuzzy Hash: 53F037709143189FEB529F24DC4ABE57BBCB701708F0001E5A548D6292D7745B88CF51

Function 00822DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00822DC4

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 09586e230dbec0fd39aa7f4c608bb84fba39832336a178990a2d6d295618efd1
Instruction ID: 2a50aeb3e3ba8cd767673beac742ecbf205e07185a02c455b24d401972eb4e7e
Opcode Fuzzy Hash: 09586e230dbec0fd39aa7f4c608bb84fba39832336a178990a2d6d295618efd1
Instruction Fuzzy Hash: 43E0CD726001245BCB21925C9C05FDA77DDFFC8790F050171FD09D7258DA60AD808551

Function 00822B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00823837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00823908

Part of subcall function 0082D730: GetInputState.USER32 ref: 0082D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00822B6B

Part of subcall function 008230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0082314E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ac702942490b0941c4c57515d64ac387db82e170ac242a9df8be2ce55a45cdf8
Instruction ID: 67d0d44c3e60e1de5111b6a32627aae9c9a3e98884cf915b05aaba31af975c63
Opcode Fuzzy Hash: ac702942490b0941c4c57515d64ac387db82e170ac242a9df8be2ce55a45cdf8
Instruction Fuzzy Hash: 20E0862130426856CA04BB7CB86657DA75AFBE5351F40153EF182C71A2CE2945C982A3

Function 0086039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00860704,?,?,00000000,?,00860704,00000000,0000000C), ref: 008603B7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb4f092870194c4b2c5c0b2c869ce1daad83245febc67986facfb83c82bd074e
Instruction ID: 6fedd44739148520127f40239842e17201b234b3a97b952fa754a2a905c7333d
Opcode Fuzzy Hash: cb4f092870194c4b2c5c0b2c869ce1daad83245febc67986facfb83c82bd074e
Instruction Fuzzy Hash: A6D06C3204010DBBDF128F84DD06EDA3BAAFB48714F014100BE1866020C732E821AB90

Function 00821CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00821CBC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 1964b8693833c0413aa3aab735a627655fbd7f5abf070d522ac647897cd5e029
Instruction ID: a56cf2a68e4ae0e3250450afbc6631c3d2a60cd0481a3cd2a429ec8fce7e3c17
Opcode Fuzzy Hash: 1964b8693833c0413aa3aab735a627655fbd7f5abf070d522ac647897cd5e029
Instruction Fuzzy Hash: A9C09236280305EFF6248BA0BC4EF207764B34CB00F048101F609A96E3C3A22820EA60

Non-executed Functions

Function 008B9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008B96C9
SendMessageW.USER32 ref: 008B96F2
GetKeyState.USER32(00000011), ref: 008B978B
GetKeyState.USER32(00000009), ref: 008B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008B97AE
GetKeyState.USER32(00000010), ref: 008B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008B97E9
SendMessageW.USER32 ref: 008B9810
SendMessageW.USER32(?,00001030,?,008B7E95), ref: 008B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008B9941
SetCapture.USER32(?), ref: 008B994A
ClientToScreen.USER32(?,?), ref: 008B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008B99D6
ReleaseCapture.USER32 ref: 008B99E1
GetCursorPos.USER32(?), ref: 008B9A19
ScreenToClient.USER32(?,?), ref: 008B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008B9A80
SendMessageW.USER32 ref: 008B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008B9AEB
SendMessageW.USER32 ref: 008B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008B9B4A
GetCursorPos.USER32(?), ref: 008B9B68
ScreenToClient.USER32(?,?), ref: 008B9B75
GetParent.USER32(?), ref: 008B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008B9BFA
SendMessageW.USER32 ref: 008B9C2B
ClientToScreen.USER32(?,?), ref: 008B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008B9CDE
SendMessageW.USER32 ref: 008B9D01
ClientToScreen.USER32(?,?), ref: 008B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008B9D82

Part of subcall function 00839944: GetWindowLongW.USER32(?,000000EB), ref: 00839952

GetWindowLongW.USER32(?,000000F0), ref: 008B9E05

Strings

F, xrefs: 008B9D07
@GUI_DRAGID, xrefs: 008B997D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 0a3dc0521282a3d6aacb33e74fea2e221c52b9255083eaa34ee36267bb7be0ac
Instruction ID: 4e5113976c54c70f08a22cc5ac6adeaf7ab998006b56933dc315c66c982586aa
Opcode Fuzzy Hash: 0a3dc0521282a3d6aacb33e74fea2e221c52b9255083eaa34ee36267bb7be0ac
Instruction Fuzzy Hash: B3426934204251AFDB24CF68CC48EAABBE5FF5A314F144619F699C73A1E771A850CB92

Function 008B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008B4A7E
IsMenu.USER32(?), ref: 008B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008B4B20
GetWindowLongW.USER32(?,000000F0), ref: 008B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008B4C82
wsprintfW.USER32 ref: 008B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008B4D5A

Strings

%d/%02d/%02d, xrefs: 008B4CA8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8e6828800ea6f2ee5185f812bd77f65560165bcb33883d16ae3bb6ce873f8702
Instruction ID: 3b3ea949df800d3105a5714dff7b426e4d977e2f1e721800dbabaa0c008b754c
Opcode Fuzzy Hash: 8e6828800ea6f2ee5185f812bd77f65560165bcb33883d16ae3bb6ce873f8702
Instruction Fuzzy Hash: D212AD71600218ABEB258F28CC4AFEE7BB8FF45714F145229F516EB3A2DB749941CB50

Function 0083F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0083F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087F474
IsIconic.USER32(00000000), ref: 0087F47D
ShowWindow.USER32(00000000,00000009), ref: 0087F48A
SetForegroundWindow.USER32(00000000), ref: 0087F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0087F4AA
GetCurrentThreadId.KERNEL32 ref: 0087F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0087F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0087F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0087F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0087F4DE
SetForegroundWindow.USER32(00000000), ref: 0087F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087F4F6
keybd_event.USER32(00000012,00000000), ref: 0087F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087F50B
keybd_event.USER32(00000012,00000000), ref: 0087F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087F519
keybd_event.USER32(00000012,00000000), ref: 0087F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087F528
keybd_event.USER32(00000012,00000000), ref: 0087F52D
SetForegroundWindow.USER32(00000000), ref: 0087F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0087F557

Strings

Shell_TrayWnd, xrefs: 0087F46F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a97e884daa9662ece3f0805210f1172bfb82c32e7c0d24e9fa7bab8eff367538
Instruction ID: 1da6e9908919e995b36a0dba99394482292bbd4c1c318fd67631d38d43497f91
Opcode Fuzzy Hash: a97e884daa9662ece3f0805210f1172bfb82c32e7c0d24e9fa7bab8eff367538
Instruction Fuzzy Hash: 90317471A40218BBEB206FB69C4AFBF7F6CFB45B50F104165FB05E61D1C6B19D00AAA0

Function 00881201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0088170D
Part of subcall function 008816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0088173A
Part of subcall function 008816C3: GetLastError.KERNEL32 ref: 0088174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00881286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008812A8
CloseHandle.KERNEL32(?), ref: 008812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008812D1
GetProcessWindowStation.USER32 ref: 008812EA
SetProcessWindowStation.USER32(00000000), ref: 008812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00881310

Part of subcall function 008810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008811FC), ref: 008810D4
Part of subcall function 008810BF: CloseHandle.KERNEL32(?,?,008811FC), ref: 008810E9

Strings

winsta0, xrefs: 008812CC
default, xrefs: 0088130B
, xrefs: 0088125A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5e54f5f0d8a980eb5460659eb72cf260e90d38713d0e9a6f1b0824efd3e168a9
Instruction ID: 385a4451fa391cffeb13ac6ad5cdc71fe10c041451588daf4e1cdfebe5362f92
Opcode Fuzzy Hash: 5e54f5f0d8a980eb5460659eb72cf260e90d38713d0e9a6f1b0824efd3e168a9
Instruction Fuzzy Hash: ED818D71900209ABDF21AFA8DC49FEE7BBEFF04704F144129F911E62A0DB359946CB65

Function 00880B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00881114
Part of subcall function 008810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881120
Part of subcall function 008810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 0088112F
Part of subcall function 008810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881136
Part of subcall function 008810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0088114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00880BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00880C00
GetLengthSid.ADVAPI32(?), ref: 00880C17
GetAce.ADVAPI32(?,00000000,?), ref: 00880C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00880C6D
GetLengthSid.ADVAPI32(?), ref: 00880C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00880C8C
HeapAlloc.KERNEL32(00000000), ref: 00880C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00880CB4
CopySid.ADVAPI32(00000000), ref: 00880CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00880CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00880D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00880D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880D45
HeapFree.KERNEL32(00000000), ref: 00880D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880D55
HeapFree.KERNEL32(00000000), ref: 00880D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880D65
HeapFree.KERNEL32(00000000), ref: 00880D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00880D78
HeapFree.KERNEL32(00000000), ref: 00880D7F

Part of subcall function 00881193: GetProcessHeap.KERNEL32(00000008,00880BB1,?,00000000,?,00880BB1,?), ref: 008811A1
Part of subcall function 00881193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00880BB1,?), ref: 008811A8
Part of subcall function 00881193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00880BB1,?), ref: 008811B7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 101483eaeacb677bc808aa82dc23880dea0d8eb53cc9acbaaf6a601e253f09f5
Instruction ID: 76649905093c2d05268161b6cdf21d672f55b3432b01acf2f5a3e3926e694330
Opcode Fuzzy Hash: 101483eaeacb677bc808aa82dc23880dea0d8eb53cc9acbaaf6a601e253f09f5
Instruction Fuzzy Hash: B7715A7290020AAFEF50EFA4DC48BAEBBB9FF04300F144615E914E7191D775A909CF60

Function 0089EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008BCC08), ref: 0089EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0089EB37
GetClipboardData.USER32(0000000D), ref: 0089EB43
CloseClipboard.USER32 ref: 0089EB4F
GlobalLock.KERNEL32(00000000), ref: 0089EB87
CloseClipboard.USER32 ref: 0089EB91
GlobalUnlock.KERNEL32(00000000), ref: 0089EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0089EBC9
GetClipboardData.USER32(00000001), ref: 0089EBD1
GlobalLock.KERNEL32(00000000), ref: 0089EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0089EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0089EC38
GetClipboardData.USER32(0000000F), ref: 0089EC44
GlobalLock.KERNEL32(00000000), ref: 0089EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0089EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0089EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0089ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0089ECF3
CountClipboardFormats.USER32 ref: 0089ED14
CloseClipboard.USER32 ref: 0089ED59

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9167f6fb75c1da7e4e8ae60a1d939f78fd0983ddf6cf4c5992625dc64d1fa2b8
Instruction ID: ca9cc4fad58a85c9f211bdf5ca0a6158a22f78a424363adec36988857cc9ddfa
Opcode Fuzzy Hash: 9167f6fb75c1da7e4e8ae60a1d939f78fd0983ddf6cf4c5992625dc64d1fa2b8
Instruction Fuzzy Hash: FF61D034204206AFDB10EF28D889F2A7BA4FF85714F18461DF496D72A2DB31DD45CB62

Function 0089698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008969BE
FindClose.KERNEL32(00000000), ref: 00896A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00896A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00896A75

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00896AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00896ADF

Strings

%02d, xrefs: 00896C00, 00896C0A, 00896C5A, 00896CAA, 00896CFA, 00896D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00896B32
%4d%02d%02d%02d%02d%02d, xrefs: 00896B6A
%4d, xrefs: 00896BB1
%03d, xrefs: 00896DA2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6332b3cd921094faa049cdc90aab302c2201a2ac293475dbd35213dcceb523e1
Instruction ID: 4940ea6ed802f6247f7bf641e16c8c194eec9f3c4372e37fe0fa4b8dd4123f17
Opcode Fuzzy Hash: 6332b3cd921094faa049cdc90aab302c2201a2ac293475dbd35213dcceb523e1
Instruction Fuzzy Hash: 26D14DB2508350AFC710EBA4D991EAFB7E8FF88704F444919F585C6191EB74DA48CBA3

Function 00899642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00899663
GetFileAttributesW.KERNEL32(?), ref: 008996A1
SetFileAttributesW.KERNEL32(?,?), ref: 008996BB
FindNextFileW.KERNEL32(00000000,?), ref: 008996D3
FindClose.KERNEL32(00000000), ref: 008996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0089974A
SetCurrentDirectoryW.KERNEL32(008E6B7C), ref: 00899768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00899772
FindClose.KERNEL32(00000000), ref: 0089977F
FindClose.KERNEL32(00000000), ref: 0089978F

Strings

*.*, xrefs: 008996F5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2014752018844aa74a0073bc4c93e2256e8977af82c978905c43bd50c17c9e6e
Instruction ID: 34a4b57bd3cc5330bec5a4cfbb26915297902e7bc70e59770fdd9a2b2f84abfe
Opcode Fuzzy Hash: 2014752018844aa74a0073bc4c93e2256e8977af82c978905c43bd50c17c9e6e
Instruction Fuzzy Hash: E131C2325012197FDF14AFF9DC48ADE77ACFF49320F18425AF855E21A0EB75D9448A20

Function 0089979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00899819
FindClose.KERNEL32(00000000), ref: 00899824
FindFirstFileW.KERNEL32(*.*,?), ref: 00899840
SetCurrentDirectoryW.KERNEL32(?), ref: 00899890
SetCurrentDirectoryW.KERNEL32(008E6B7C), ref: 008998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008998B8
FindClose.KERNEL32(00000000), ref: 008998C5
FindClose.KERNEL32(00000000), ref: 008998D5

Part of subcall function 0088DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0088DB00

Strings

*.*, xrefs: 0089983B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 275f7243ffb144b0537ed7b2d36fbce0de94a86c8179c6003239e41f8eb5aeb0
Instruction ID: c04d9f24304a520a394a41e1d7f90d0bc1d7af06fb1221c22d4e881ceb03f868
Opcode Fuzzy Hash: 275f7243ffb144b0537ed7b2d36fbce0de94a86c8179c6003239e41f8eb5aeb0
Instruction Fuzzy Hash: 4131A53150061D6BDF10BFB9DC48ADE77ACFF4A320F18416EE894F21A1EB75D9448A60

Function 008ABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008AB6AE,?,?), ref: 008AC9B5
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008AC9F1
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA68
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008ABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 008ABFA9
RegCloseKey.ADVAPI32(00000000), ref: 008ABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008AC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008AC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008AC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008AC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 008AC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008AC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008AC382
RegCloseKey.ADVAPI32(00000000), ref: 008AC38F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 12e1f4cb992af5e32405d12a19926e609dd5951c51a81bb116a1810f6f423e11
Instruction ID: 4394977d940e58a3f65d951f374bfc9191d9a5bcfa518430fb7cc59ca141e5d1
Opcode Fuzzy Hash: 12e1f4cb992af5e32405d12a19926e609dd5951c51a81bb116a1810f6f423e11
Instruction Fuzzy Hash: 17022D716042009FD714DF28C895E2ABBE5FF89318F18849DF84ADB6A2DB31ED45CB52

Function 00898195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00898257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00898267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00898273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00898310
SetCurrentDirectoryW.KERNEL32(?), ref: 00898324
SetCurrentDirectoryW.KERNEL32(?), ref: 00898356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0089838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00898395

Strings

*.*, xrefs: 0089839B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a2a4fc1bb600e5d78378da9dbced25b4fc1e475e84e44f9af2f8701e4be89f71
Instruction ID: 3b8fd7dd40577fc91c7f8f3f837e6ac0cdea42a19ffea6c23931e7b39e6ccdb7
Opcode Fuzzy Hash: a2a4fc1bb600e5d78378da9dbced25b4fc1e475e84e44f9af2f8701e4be89f71
Instruction Fuzzy Hash: 89616B725043169FCB10EF64D8449AEB3E8FF89314F08892EF999D7251DB31E945CB92

Function 0088D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00823AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00823A97,?,?,00822E7F,?,?,?,00000000), ref: 00823AC2

Part of subcall function 0088E199: GetFileAttributesW.KERNEL32(?,0088CF95), ref: 0088E19A

FindFirstFileW.KERNEL32(?,?), ref: 0088D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0088D1DD
MoveFileW.KERNEL32(?,?), ref: 0088D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0088D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0088D237

Part of subcall function 0088D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0088D21C,?,?), ref: 0088D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0088D253
FindClose.KERNEL32(00000000), ref: 0088D264

Strings

\*.*, xrefs: 0088D0CD, 0088D0D6, 0088D0EB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 8972755736836680a211348e4b2fd4f1b18a61fc6cc1df5b79e7752642bdae09
Instruction ID: 800facd3e280ca640b3f961df66e89973cde6206f63d52bba7fe5e84576f04d4
Opcode Fuzzy Hash: 8972755736836680a211348e4b2fd4f1b18a61fc6cc1df5b79e7752642bdae09
Instruction Fuzzy Hash: 7A61273180121DAACF05FBA4E9929EDB7B9FF55300F244165E442B7191EB30AF49CB62

Function 0089ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0089ED91
EmptyClipboard.USER32 ref: 0089ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0089EDAC
CloseClipboard.USER32 ref: 0089EEA3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 24e2ba7706323aaf44a0d52a4e5aff7bd67b26087fc421ae90f0c3fdfda0de1a
Instruction ID: bef3eb186a6b89930488b378f5fd205ee730ed7506407ee6bf2526afb41ceecd
Opcode Fuzzy Hash: 24e2ba7706323aaf44a0d52a4e5aff7bd67b26087fc421ae90f0c3fdfda0de1a
Instruction Fuzzy Hash: 41417C35604611AFDB20DF19E888F29BBA5FF44328F188199E429CB662C775EC41CB91

Function 0088E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0088170D
Part of subcall function 008816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0088173A
Part of subcall function 008816C3: GetLastError.KERNEL32 ref: 0088174A

ExitWindowsEx.USER32(?,00000000), ref: 0088E932

Strings

, xrefs: 0088E95C
@, xrefs: 0088E925
, xrefs: 0088E920
SeShutdownPrivilege, xrefs: 0088E902

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 18cc0b370e99ab911f4358893c931ad71aa778ad6a82ea46dbe42af406f343fb
Instruction ID: c7b04576f2906d9da24a8d992345c9a53b84df5bd7d2aafbf25152eeacd074e8
Opcode Fuzzy Hash: 18cc0b370e99ab911f4358893c931ad71aa778ad6a82ea46dbe42af406f343fb
Instruction Fuzzy Hash: 9101F972610215ABEB6476B99C8AFBF775CF714754F154521FC13E21E2EAE0AC4083A0

Function 008A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008A1276
WSAGetLastError.WSOCK32 ref: 008A1283
bind.WSOCK32(00000000,?,00000010), ref: 008A12BA
WSAGetLastError.WSOCK32 ref: 008A12C5
closesocket.WSOCK32(00000000), ref: 008A12F4
listen.WSOCK32(00000000,00000005), ref: 008A1303
WSAGetLastError.WSOCK32 ref: 008A130D
closesocket.WSOCK32(00000000), ref: 008A133C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 46e932184fc121d166a7d455c7c2544730623c6da4ca4b4db6faeeedc07a5042
Instruction ID: edc692186a83d3a1fdbe73c282509ef48e021acbef66848cdaaab204550c5dc0
Opcode Fuzzy Hash: 46e932184fc121d166a7d455c7c2544730623c6da4ca4b4db6faeeedc07a5042
Instruction Fuzzy Hash: 7A417F316001109FEB10DF68D588B2ABBE5FF46318F188198E856DF696C775ED81CBE1

Function 0085B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0085B9D4
_free.LIBCMT ref: 0085B9F8
_free.LIBCMT ref: 0085BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008C3700), ref: 0085BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0085BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008F1270,000000FF,?,0000003F,00000000,?), ref: 0085BC36
_free.LIBCMT ref: 0085BD4B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a5f4a5ead29e6d5496fa40b0a0ba591149200040ef2a798eab3313af8d4816a9
Instruction ID: 59c51eb0dbce57202b216201f234c6ecab971c756cb32ee8160dd10b0dbac60b
Opcode Fuzzy Hash: a5f4a5ead29e6d5496fa40b0a0ba591149200040ef2a798eab3313af8d4816a9
Instruction Fuzzy Hash: 5EC129719042489FCB21DF799C45BBABBB8FF61362F1441AAEC90E7251EB308E49C751

Function 0088D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00823AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00823A97,?,?,00822E7F,?,?,?,00000000), ref: 00823AC2

Part of subcall function 0088E199: GetFileAttributesW.KERNEL32(?,0088CF95), ref: 0088E19A

FindFirstFileW.KERNEL32(?,?), ref: 0088D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0088D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0088D481
FindClose.KERNEL32(00000000), ref: 0088D498
FindClose.KERNEL32(00000000), ref: 0088D4A1

Strings

\*.*, xrefs: 0088D3F2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 554e338ce9786a62da196e4e36cae97eca04ee5b84c25e5b1beb8ec949817a4e
Instruction ID: 61a1010e6fd0b5fc7d277557e11e692f94e570d4984de8c46bc588d5839c9ac0
Opcode Fuzzy Hash: 554e338ce9786a62da196e4e36cae97eca04ee5b84c25e5b1beb8ec949817a4e
Instruction Fuzzy Hash: 81315C710083559BC304FF68E8958AFB7A8FE95314F444A2DF4D1D21A1EB30AA49CB67

Function 0085E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0085E645

Strings

1#QNAN, xrefs: 0085F84B
1#INF, xrefs: 0085F852
1#IND, xrefs: 0085F83D
1#SNAN, xrefs: 0085F844

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e22717d328db10d0f4692ec32d1d7c1285c0f166976a787dde6d91ec72f55d62
Instruction ID: 07683d1b2ab182157a13acb91b8fcf57a6dbc14d9a9d8e0d5b4d4d77661ce0c9
Opcode Fuzzy Hash: e22717d328db10d0f4692ec32d1d7c1285c0f166976a787dde6d91ec72f55d62
Instruction Fuzzy Hash: 63C22A71E046288FDB29CE28DD407EAB7B5FB48306F1441EAD94DE7241E774AE898F41

Function 0089648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008964DC
CoInitialize.OLE32(00000000), ref: 00896639
CoCreateInstance.OLE32(008BFCF8,00000000,00000001,008BFB68,?), ref: 00896650
CoUninitialize.OLE32 ref: 008968D4

Strings

.lnk, xrefs: 008964BA, 00896524, 008965E0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 27494c0a6d88a54fc0e926a3ee0136d2fefe1bd7377695195624f7c302f62c0a
Instruction ID: 5fffc080e39bcac0be9f7940355ae58669a849327959036659c9caf070624fe1
Opcode Fuzzy Hash: 27494c0a6d88a54fc0e926a3ee0136d2fefe1bd7377695195624f7c302f62c0a
Instruction Fuzzy Hash: 6AD13771508211AFC704EF28D891E6BB7E8FF98704F04496DF595CB2A1EB70E949CB92

Function 008A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008A22E8

Part of subcall function 0089E4EC: GetWindowRect.USER32(?,?), ref: 0089E504

GetDesktopWindow.USER32 ref: 008A2312
GetWindowRect.USER32(00000000), ref: 008A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008A2355
GetCursorPos.USER32(?), ref: 008A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008A23DF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 36ae15102eae923b0048803e3e22ebb274ca9771dd62882164241552f0bd87f1
Instruction ID: 3b89aa2dffaf1c9d84801d748dc60f894296f14a3ea17f9987d5db12b80ccda7
Opcode Fuzzy Hash: 36ae15102eae923b0048803e3e22ebb274ca9771dd62882164241552f0bd87f1
Instruction Fuzzy Hash: 1B31AD72504315AFDB20DF58C849B9BBBA9FF86314F000A19F985D7291DB74EA09CB92

Function 00899B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00899B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00899C8B

Part of subcall function 00893874: GetInputState.USER32 ref: 008938CB
Part of subcall function 00893874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00893966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00899BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00899C75

Strings

*.*, xrefs: 00899B5D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a226569e1eb2e1a540ef08f6bf09b6e730a936c7276910ded8708a896fca5058
Instruction ID: 01e89d16fc96ccc3a1a0e0fec629e57d69e7a1f86609d8125efc38a2e36d65cc
Opcode Fuzzy Hash: a226569e1eb2e1a540ef08f6bf09b6e730a936c7276910ded8708a896fca5058
Instruction Fuzzy Hash: 8641607190021A9FCF14EF68DC55AEE7BB8FF05314F18415AE855E2291EB349E84CF61

Function 0083997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00839A4E
GetSysColor.USER32(0000000F), ref: 00839B23
SetBkColor.GDI32(?,00000000), ref: 00839B36

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8d028dcca6dd35cf59ca4ef152459a1a3d4f79626644a1b3007f0dc3cd17e66f
Instruction ID: 66b233a1405723bb2efd3b05795d56a47f4bc76aff0d9b0c35d74902cb2f5706
Opcode Fuzzy Hash: 8d028dcca6dd35cf59ca4ef152459a1a3d4f79626644a1b3007f0dc3cd17e66f
Instruction Fuzzy Hash: 31A13C71208428EEE7289A3C8C59EBB3A5DFBC2354F154319F582C66D9CAA5DD01C3F2

Function 008A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008A307A
Part of subcall function 008A304E: _wcslen.LIBCMT ref: 008A309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008A185D
WSAGetLastError.WSOCK32 ref: 008A1884
bind.WSOCK32(00000000,?,00000010), ref: 008A18DB
WSAGetLastError.WSOCK32 ref: 008A18E6
closesocket.WSOCK32(00000000), ref: 008A1915

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 52ed4d1618b9c6706455aff9c125ad89e3c77f3a77004d79dec36bf9debc0254
Instruction ID: 59d59d0a5917431afbe9d3e35582b525dce9c396a0df89bf1ab74bb393573ad1
Opcode Fuzzy Hash: 52ed4d1618b9c6706455aff9c125ad89e3c77f3a77004d79dec36bf9debc0254
Instruction Fuzzy Hash: 4251B371A002109FEB10AF28D886F2A77E5FB45718F088058F9059F783DB75AD41CBE2

Function 008B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008B1CC0
IsWindowEnabled.USER32 ref: 008B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008B1CDB
IsIconic.USER32 ref: 008B1CE9
IsZoomed.USER32 ref: 008B1CF7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e71b006ea79415eea50eb18ae0353211934ef840bb7c642d12deee6b525826e3
Instruction ID: 389eeb2a17288fc8729a0d8e30407d020c7e0ca2a9bd7149652f5f7a049edd64
Opcode Fuzzy Hash: e71b006ea79415eea50eb18ae0353211934ef840bb7c642d12deee6b525826e3
Instruction Fuzzy Hash: B621A3317402119FDB208F1AD868BAA7FA5FF95314F598058E84ACF352CB71ED42CB95

Function 00828060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008283FA
VUUU, xrefs: 008283E8
ERCP, xrefs: 0082813C
VUUU, xrefs: 0082843C
VUUU, xrefs: 00865DF0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: dac799d16a452db6c1ad93260a5f74b5a9940dbcaa4bcd98f5f40ab0014ca7fa
Instruction ID: 59399ca08b8fe6e6c6667f5aacf1527fd87585db6595aac4def7cbed65b43eb3
Opcode Fuzzy Hash: dac799d16a452db6c1ad93260a5f74b5a9940dbcaa4bcd98f5f40ab0014ca7fa
Instruction Fuzzy Hash: E4A27970A0166ACBDF24CF58D9447AEB7B1FB54314F2581AAE815EB384EB309DD1CB90

Function 0088AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0088AAAC
SetKeyboardState.USER32(00000080), ref: 0088AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0088AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0088AB88

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b3eb334a661dd35a36aa6b3ade21eebcf029672205a1186a39691dccb62e7657
Instruction ID: 12fecddced54e19681360557a64f9655334e7d7e0100029db4eb6922eaa33fd2
Opcode Fuzzy Hash: b3eb334a661dd35a36aa6b3ade21eebcf029672205a1186a39691dccb62e7657
Instruction Fuzzy Hash: 5D31F630A40258AEFB39AA688C05BFA7BA6FB45330F04421BF5C1D65D1D3759981C763

Function 0089CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0089CE89
GetLastError.KERNEL32(?,00000000), ref: 0089CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0089CEFE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c7d2878bc29107a9b67695302b6f8461b77acb79e58460296725478bab758536
Instruction ID: 1debd0588b88b1beef469985b4b18744ff1d79f763458bad4c55897c275f4804
Opcode Fuzzy Hash: c7d2878bc29107a9b67695302b6f8461b77acb79e58460296725478bab758536
Instruction Fuzzy Hash: BE219DB15007099FDB30EF65C948BAA77F8FB50358F14442EE546D2151EB75EE048B64

Function 00888298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008882AA

Strings

(, xrefs: 008882F0
|, xrefs: 008882DA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 36f94b834c97953619d87a57872e89624812acaa36ec8c63b43fcd40a5deee04
Instruction ID: d9ae9b67d34a545e85f48ecf160b1b6d16706f156aba5fd644342cda9f9b7b7f
Opcode Fuzzy Hash: 36f94b834c97953619d87a57872e89624812acaa36ec8c63b43fcd40a5deee04
Instruction Fuzzy Hash: 0A323474A00605DFCB28DF59C480A6AB7F0FF48710B55C56EE59ADB3A1EB70E981CB40

Function 00895C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00895CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00895D17
FindClose.KERNEL32(?), ref: 00895D5F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0b8204a5cb3f5e1d0f7bc3a825c7a083c1b8077c30fa8b0a7f41af022ad46177
Instruction ID: 6148d0fe850fc41f018553aaf5b370beba424cd7bfe01682f8eaebfd4a0e6969
Opcode Fuzzy Hash: 0b8204a5cb3f5e1d0f7bc3a825c7a083c1b8077c30fa8b0a7f41af022ad46177
Instruction Fuzzy Hash: 14519A346046019FCB14DF28D498A9AB7E4FF49324F18856EE95ACB3A2DB30ED44CB91

Function 00852622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0085271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00852724
UnhandledExceptionFilter.KERNEL32(?), ref: 00852731

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2f891b6d98fd4b854316aed62e344c95414839cc034ea3ba3d76a16eb4db095a
Instruction ID: a8fd0ae91a0b625dea2cf1987bf22241d627dc4b3432a5b0c1a6ed314e8828b6
Opcode Fuzzy Hash: 2f891b6d98fd4b854316aed62e344c95414839cc034ea3ba3d76a16eb4db095a
Instruction Fuzzy Hash: 9A31B67591122C9BCB21DF68DC89B99B7B8FF08310F5041DAE81CA6261EB309F858F45

Function 008951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00895238
SetErrorMode.KERNEL32(00000000), ref: 008952A1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 95eb73fb7f4e0dd4e95c46f67f9cffb128f03883d70c70355bd8fbde8cf30fdf
Instruction ID: 8f1173be2077804032e46a88eb7f42c9081999b4e1c07984ba9131c205c12632
Opcode Fuzzy Hash: 95eb73fb7f4e0dd4e95c46f67f9cffb128f03883d70c70355bd8fbde8cf30fdf
Instruction Fuzzy Hash: 51313E75A00518DFDB00EF98D884EADBBB5FF49314F088099E805EB3A2DB31E855CB91

Function 008816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0083FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00840668
Part of subcall function 0083FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00840685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0088170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0088173A
GetLastError.KERNEL32 ref: 0088174A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 79f2daea4feae865ede14ff0d389b950b97c21ad31fb807c620713033855e416
Instruction ID: 82b63f33601866b765bb1bb1dc790f0e80af9565e4a2b3a2264ebf2c75dad450
Opcode Fuzzy Hash: 79f2daea4feae865ede14ff0d389b950b97c21ad31fb807c620713033855e416
Instruction Fuzzy Hash: 241191B2814309AFD718AF54DC8AD6AB7FDFF44754B20852EF05697245EB70BC428B60

Function 0088D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0088D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0088D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0088D650

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e83914654b265254230d33821e9d879611187cd295c9c3aa69fa97d2d571e0de
Instruction ID: 17f960385ecdcdbc9de0b87141b23bb78ae0b6fe998822a87e2559f823c0ad5e
Opcode Fuzzy Hash: e83914654b265254230d33821e9d879611187cd295c9c3aa69fa97d2d571e0de
Instruction Fuzzy Hash: BC113C75E05228BBDB209F99AC45FAFBBBCFB45B50F108125F904E7290D6705A058BA1

Function 00881663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0088168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008816A1
FreeSid.ADVAPI32(?), ref: 008816B1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d5a39dc7c034215818bd490d9cc8436dee6d37bb78d58c72b7fb5c80122a8b5d
Instruction ID: 4862c481f041fafdfccfad57bfaae6b99af5e6cab8e22d8114e47940392665a2
Opcode Fuzzy Hash: d5a39dc7c034215818bd490d9cc8436dee6d37bb78d58c72b7fb5c80122a8b5d
Instruction Fuzzy Hash: CCF0F471950309FBDF00EFE49C89AAEBBBCFB08604F504565E501E2181E774AA458B60

Function 0085C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0085C36C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 30d1c8f35054417553f5999b4af76f2c248c63064d13dc91e232a439701f432d
Instruction ID: 4e8a1bb47a9476884f5be0df933881f3137c9d031520ca3d1412eccabb45cee4
Opcode Fuzzy Hash: 30d1c8f35054417553f5999b4af76f2c248c63064d13dc91e232a439701f432d
Instruction Fuzzy Hash: 82411572900319AFCB209FB9CC89EAB77B9FB84356F5042A9FD05D7280E6709D858F50

Function 0087D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0087D28C

Strings

X64, xrefs: 0087D2A8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 530ef1d5707af4bc2f2557e65155a3f68ea779338d22c2be6fec52a7736b5d46
Instruction ID: 8bc0f2c5ef05d18aedef09f854c8bbc88979a6f93606d9967a17eff7dedb23a5
Opcode Fuzzy Hash: 530ef1d5707af4bc2f2557e65155a3f68ea779338d22c2be6fec52a7736b5d46
Instruction Fuzzy Hash: 31D0C9B581121DEBCF94DB90EC88DDDB77CFB14309F104252F506E2000DB3095499F10

Function 0084CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 947fad7bcda00065bb690932772d9341e13090353a5f50920754c27451ad841c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 1F023C71E012199FDF54CFA9C8806ADFBF5FF88314F25816AD919EB380D731AA418B94

Function 008968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00896918
FindClose.KERNEL32(00000000), ref: 00896961

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d558397cecfd609c3dd17adbeb30e5d2758762ab03f57788bcb0d006c3ac8e09
Instruction ID: bb0209799c86b9dcb6f3cff5c5ca628e222bd030f3a337bd9e3fd29e00ff6441
Opcode Fuzzy Hash: d558397cecfd609c3dd17adbeb30e5d2758762ab03f57788bcb0d006c3ac8e09
Instruction Fuzzy Hash: EE1193316042109FCB10DF29D484A16BBE5FF89328F18C699F469CF6A2DB30EC45CB91

Function 008937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008A4891,?,?,00000035,?), ref: 008937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008A4891,?,?,00000035,?), ref: 008937F4

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 475aef8fa37891a20a3ef209c1c13df271a6ac2c9dfa6e4b9bdc943b7a23c7dc
Instruction ID: bda43ee956e6dd20d7b27355ba46fb888a216fd718ff549bbbbb7c6cc2666133
Opcode Fuzzy Hash: 475aef8fa37891a20a3ef209c1c13df271a6ac2c9dfa6e4b9bdc943b7a23c7dc
Instruction Fuzzy Hash: 29F0E5B06042283AEB2027AA9C4DFEB3BAEFFC4765F000275F509D2291D9609944C6B1

Function 0088B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0088B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0088B270

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 9a2f6646be96e78d1b5ce49efc4518316edf6f0c00c5cf86e8e4183ef3d9d8f3
Instruction ID: 09d485d918856fbdd54c028882df1a146eea770bdf3313791f53958e06e65024
Opcode Fuzzy Hash: 9a2f6646be96e78d1b5ce49efc4518316edf6f0c00c5cf86e8e4183ef3d9d8f3
Instruction Fuzzy Hash: 6FF01D7180424DABDB159FA4C805BEE7BB4FF04309F008119F955A6191C77996119F94

Function 008810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008811FC), ref: 008810D4
CloseHandle.KERNEL32(?,?,008811FC), ref: 008810E9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3f5cb9e774dc6cb68f21aa4f5862cc1bb299dfd35eb87c78de902af363b7fcc3
Instruction ID: 3b1e798e161ffba9aefedd8b744006bc51f12db7b4ecd253eb37c33f70fd14a8
Opcode Fuzzy Hash: 3f5cb9e774dc6cb68f21aa4f5862cc1bb299dfd35eb87c78de902af363b7fcc3
Instruction Fuzzy Hash: 17E04F32408600AFE7252B15FC09E7377E9FB04310F10892DF5A5C04B1DB626C90DB90

Function 0082CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00870C40

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ff09869582e6cd51850b0b5d0ec078f0e02c07e7b96134215df952afdebc4c01
Instruction ID: a76ef60719fabd79f82abb9a35e67fb9fdcaf43ca33ab2b69d6df3a43dea4caf
Opcode Fuzzy Hash: ff09869582e6cd51850b0b5d0ec078f0e02c07e7b96134215df952afdebc4c01
Instruction Fuzzy Hash: 13329E70900228DBCF14DF94E981AFDB7B5FF05308F548059E80AEB296DB75AE85CB61

Function 0085676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00856766,?,?,00000008,?,?,0085FEFE,00000000), ref: 00856998

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a6c69d2bd1ce8cada784dffdf945f6c183f0174e974ccbcd49c0807b086f28e4
Instruction ID: 969cc35116df706dd5b830dd02163ad695f3f60e9fb1243a71e8a0c9eea8c377
Opcode Fuzzy Hash: a6c69d2bd1ce8cada784dffdf945f6c183f0174e974ccbcd49c0807b086f28e4
Instruction Fuzzy Hash: 84B17D31610608DFD715CF28C486B647BE0FF0536AF698658EC99CF2A2D335D9A9CB40

Function 0083B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0087851F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 702c57e116b37593e27156eb17eb90d6c945dff871dc7867fea97f74947a4197
Instruction ID: f7df2a2c40b57e1a074a6e850f2713660b126416bb3f87777c3fef49e28d731f
Opcode Fuzzy Hash: 702c57e116b37593e27156eb17eb90d6c945dff871dc7867fea97f74947a4197
Instruction Fuzzy Hash: F5124EB1A00229DBCB14CF58C8816EEB7F5FF48710F14819AE949EB255EB349E81CB95

Function 0089EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0089EABD

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 53b45459a080f65e84f97c93d7b6866fbc605e552404e283c2400f4763914d06
Instruction ID: c605d7c6e20937d5957756a16c3d837c386aa079a5b8c4a823fe63656f7c5cdf
Opcode Fuzzy Hash: 53b45459a080f65e84f97c93d7b6866fbc605e552404e283c2400f4763914d06
Instruction Fuzzy Hash: 9CE012312002149FD710EF59D404E5ABBD9FFA8760F048416FC45C7261DA70A8418B91

Function 008409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008403EE), ref: 008409DA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7d17f19d7c7fd0006d3388b4122e2078a3175dd1348c0bb95df92b5a0295d9c7
Instruction ID: f95133f4abdd9a41895b434edb67ccd86ca5f11854a4c495a2c3c205ee053717
Opcode Fuzzy Hash: 7d17f19d7c7fd0006d3388b4122e2078a3175dd1348c0bb95df92b5a0295d9c7
Instruction Fuzzy Hash:

Function 0084781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0084798B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 95cb9d7062ade8681bc68663e75502b80089f5123516ad6cfbc0c1db0ac80d8b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0551787160C74D9BDB38856C885E7BE6F89FB22344F180939D882D7282CB19DE05D35A

Function 00856DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c99f71d091652293ddb3cb631f8af7e6875ecf99ffdaaf187a91456f870075
Instruction ID: 35ae6959daee4729670cb96ba7fe0ed5abd4364a172b1fb624545bdb1f60eaba
Opcode Fuzzy Hash: b9c99f71d091652293ddb3cb631f8af7e6875ecf99ffdaaf187a91456f870075
Instruction Fuzzy Hash: 1832F122D29F014DD7239634E822335A659FFB73D6F15D737E81AB5AA6EB39C4834100

Function 0083CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cfa6e89399ad964bd01f23c845b32bfcae3f3b494fb0d46f1019bf8d6d3326
Instruction ID: d26401f60a4ae6167ba94ab1ec414cf4d87a6624906d6586be92605638a29704
Opcode Fuzzy Hash: 07cfa6e89399ad964bd01f23c845b32bfcae3f3b494fb0d46f1019bf8d6d3326
Instruction Fuzzy Hash: 25320532A041598BCF28CE29C4D467DBBA1FB85314F28C56ED85EDB299D730DD82DB81

Function 00827920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be29b1b9528a1a11c9fa6f8146640b53083c7e3761850f94771aa9f3586b8d73
Instruction ID: 5c17aba93d889361260769fd1ed2f5ca962366ae17bf7096834218d9f26212a4
Opcode Fuzzy Hash: be29b1b9528a1a11c9fa6f8146640b53083c7e3761850f94771aa9f3586b8d73
Instruction Fuzzy Hash: 7022CFB0A0061ADFDF14CF69D981AAEB3B1FF44314F104529E812EB391EB36AD50CB51

Function 008291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c361952c1aaae22f0259382670c59b70780947d6604e1ad4a94cee1df82c88ab
Instruction ID: 536dc7008219c4cefa6c0fb647c54d221d9b8453bc463f2d2526763da74321a6
Opcode Fuzzy Hash: c361952c1aaae22f0259382670c59b70780947d6604e1ad4a94cee1df82c88ab
Instruction Fuzzy Hash: 6602B5B0E00219EBDB04DF58D881AAEB7B1FF54304F118169E956DB391EB31AE60CBD1

Function 00859EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab883bd76c4845886a1f3e133f8c7242c2e33a224c6575d3103e54634e5b5a8
Instruction ID: 61c888164b6a964d6ac684874bd7f4f1e3744a5bfc86dafdfa715b74a139aa36
Opcode Fuzzy Hash: aab883bd76c4845886a1f3e133f8c7242c2e33a224c6575d3103e54634e5b5a8
Instruction Fuzzy Hash: 90B10320D2AF814DD32396399871336B66CBFBB6D5F91D71BFC1674E22EB2286834140

Function 00841C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d3116f785be5b75acc22248754da08ac11d87f711e166a5930443ad4e1228a13
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BC9168726080EB49DF294639857C13DFFE1FA523A531A079ED4F2CB1C5FE249994D620

Function 00841F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 236603d6edb6fdd731dafd8317471ae97fce5b23f9e5b37810c712e25ef94479
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: D291777220D1EB49DB294339857843EFFE1EA923A135A079DE4F2CB1C5EE24D598D620

Function 008419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d023fd351b0204b6fb5844539d043cb73b58096f3a0aa6ba5901eb247ff77f6c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0E9134722091EB4ADF6D867A857C03DFFE1EA923B531A079DD4F2CA1C1FE248594D620

Function 00847A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c698811c254abc55612932da550567659efaf87d46e3ef5afbeeaed67303db3c
Instruction ID: 512b0f9dd9f4b51383d97fecb4b838d94be115fa947ea0544061896ec2fa17bb
Opcode Fuzzy Hash: c698811c254abc55612932da550567659efaf87d46e3ef5afbeeaed67303db3c
Instruction Fuzzy Hash: 4661887160875D96EE34DA2C8C95BBE3398FF51768F10091EE983DB281DB119E42C356

Function 00847CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8b4dbc212161afdf18ab22893e63b5f5ba4a8ac9ed08f07c1778726fc0caa7
Instruction ID: 43e914c5af03f8308b11b9e0a0527cff804e9c5f099cbb20f02b800f849ee3bc
Opcode Fuzzy Hash: ad8b4dbc212161afdf18ab22893e63b5f5ba4a8ac9ed08f07c1778726fc0caa7
Instruction Fuzzy Hash: C7618F31E2C74DA7DE389A2C4D55BBF2394FF42B08F100A5AE943DB289E712DD428356

Function 00841706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6a3ca13c5dac3476361d76bcc370eac592a6db67bdabfe8c9f53f8ef1a1e952a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 728175326080EB49DF6D427A857C03EFFE1FA923A131A07ADD4F2CB1C5EE248594D620

Function 00892046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9642d89f94b075b32b05954e7e131b13038ceb30fe354cf8a2634d6c7efd063a
Instruction ID: fd3c2443fd0e8b297d218ea7c9bda3178d083e0d13ab014962eeef45dbd9c689
Opcode Fuzzy Hash: 9642d89f94b075b32b05954e7e131b13038ceb30fe354cf8a2634d6c7efd063a
Instruction Fuzzy Hash: 9C2196326206158BDB28CE79C81267A73E5F764320F19862EE4A7C37D1DE39A904CB80

Function 008A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008A2B30
DeleteObject.GDI32(00000000), ref: 008A2B43
DestroyWindow.USER32 ref: 008A2B52
GetDesktopWindow.USER32 ref: 008A2B6D
GetWindowRect.USER32(00000000), ref: 008A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2CF8
GetClientRect.USER32(00000000,?), ref: 008A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2D80
GlobalLock.KERNEL32(00000000), ref: 008A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2D98
GlobalUnlock.KERNEL32(00000000), ref: 008A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2DA8
GlobalFree.KERNEL32(00000000), ref: 008A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008BFC38,00000000), ref: 008A2DDB
GlobalFree.KERNEL32(00000000), ref: 008A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008A303F

Strings

DISPLAY, xrefs: 008A2EA2
AutoIt v3, xrefs: 008A2CF2
, xrefs: 008A2FC5
static, xrefs: 008A2D3A, 008A2E91

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ab421b7966690f2c357348725929c68c9e28ae51c7cdb1a036add75230e176ff
Instruction ID: 3292371ae7bf0e930a6c4f051c8aedcb59cae4118fb3c58b25e58ec6aa76a193
Opcode Fuzzy Hash: ab421b7966690f2c357348725929c68c9e28ae51c7cdb1a036add75230e176ff
Instruction Fuzzy Hash: 9A025A71900219EFDB14DF68CD89EAE7BB9FB49310F108258F915EB2A1DB74AD41CB60

Function 008B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008B712F
GetSysColorBrush.USER32(0000000F), ref: 008B7160
GetSysColor.USER32(0000000F), ref: 008B716C
SetBkColor.GDI32(?,000000FF), ref: 008B7186
SelectObject.GDI32(?,?), ref: 008B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008B71C0
GetSysColor.USER32(00000010), ref: 008B71C8
CreateSolidBrush.GDI32(00000000), ref: 008B71CF
FrameRect.USER32(?,?,00000000), ref: 008B71DE
DeleteObject.GDI32(00000000), ref: 008B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008B7230
FillRect.USER32(?,?,?), ref: 008B7262
GetWindowLongW.USER32(?,000000F0), ref: 008B7284

Part of subcall function 008B73E8: GetSysColor.USER32(00000012), ref: 008B7421
Part of subcall function 008B73E8: SetTextColor.GDI32(?,?), ref: 008B7425
Part of subcall function 008B73E8: GetSysColorBrush.USER32(0000000F), ref: 008B743B
Part of subcall function 008B73E8: GetSysColor.USER32(0000000F), ref: 008B7446
Part of subcall function 008B73E8: GetSysColor.USER32(00000011), ref: 008B7463
Part of subcall function 008B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008B7471
Part of subcall function 008B73E8: SelectObject.GDI32(?,00000000), ref: 008B7482
Part of subcall function 008B73E8: SetBkColor.GDI32(?,00000000), ref: 008B748B
Part of subcall function 008B73E8: SelectObject.GDI32(?,?), ref: 008B7498
Part of subcall function 008B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008B74B7
Part of subcall function 008B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008B74CE
Part of subcall function 008B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008B74DB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6cdb763f9c7fb996cfa898a20f702e4f3e9d39f4e635bdf1495299bf7c7778d3
Instruction ID: 35958a5a4c1628f8a97440b991180b18086dd6b4809107da601c4a85bede440b
Opcode Fuzzy Hash: 6cdb763f9c7fb996cfa898a20f702e4f3e9d39f4e635bdf1495299bf7c7778d3
Instruction Fuzzy Hash: A9A16072008301AFDB119F64DC48E9F7BA9FB89321F100B19F9A2E62E1D775E945CB61

Function 00838D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00838E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00876AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00876AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00876F43

Part of subcall function 00838F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00838BE8,?,00000000,?,?,?,?,00838BBA,00000000,?), ref: 00838FC5

SendMessageW.USER32(?,00001053), ref: 00876F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00876F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00876FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00876FB7

Strings

0, xrefs: 00876DCF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0df79c2995bcc95b030bbc35a5febfc2e9287c584a02fbeeaa4fe4087c610eb5
Instruction ID: db3a611f91e38160193725cd4e8d1ba5914d1a4b2ebc777d105f5b60db6b4bd5
Opcode Fuzzy Hash: 0df79c2995bcc95b030bbc35a5febfc2e9287c584a02fbeeaa4fe4087c610eb5
Instruction Fuzzy Hash: 48129D30204A01DFDB25CF28C848BB6BBE5FB85310F548569F489DB265DB72EC61DB91

Function 008A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008A2900
GetClientRect.USER32(00000000,?), ref: 008A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008A2964
GetStockObject.GDI32(00000011), ref: 008A2974
SelectObject.GDI32(00000000,00000000), ref: 008A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A2991
DeleteDC.GDI32(00000000), ref: 008A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008A2A77
GetStockObject.GDI32(00000011), ref: 008A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008A2A97

Strings

msctls_progress32, xrefs: 008A2A13
DISPLAY, xrefs: 008A295A
AutoIt v3, xrefs: 008A28F8
static, xrefs: 008A294F, 008A2A71

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f8db8de10b42cad1e4bd5a4f6860a8a6b3d74a11519238918cb23282f4007145
Instruction ID: 6c75d42d90ce44043cf85af3c07870a928579e37b9ed887a68e7e771a2f9574a
Opcode Fuzzy Hash: f8db8de10b42cad1e4bd5a4f6860a8a6b3d74a11519238918cb23282f4007145
Instruction Fuzzy Hash: 1BB15C71A00219AFEB24DF69DC49FAEBBA9FB49714F004214F915EB690D774ED40CBA0

Function 00894ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00894AED
GetDriveTypeW.KERNEL32(?,008BCB68,?,\\.\,008BCC08), ref: 00894BCA
SetErrorMode.KERNEL32(00000000,008BCB68,?,\\.\,008BCC08), ref: 00894D36

Strings

Fixed, xrefs: 00894C09
SSD, xrefs: 00894C4A
Virtual, xrefs: 00894CE5
ATAPI, xrefs: 00894C91
SAS, xrefs: 00894CC9
PhysicalDrive, xrefs: 00894B76
CDROM, xrefs: 00894BFB
SCSI, xrefs: 00894C8A
Network, xrefs: 00894C02
FileBackedVirtual, xrefs: 00894CEC
ATA, xrefs: 00894C98
\\.\, xrefs: 00894B3F
MMC, xrefs: 00894CDE
RAID, xrefs: 00894CBB
Unknown, xrefs: 00894BED, 00894C83
1394, xrefs: 00894C9F
Fibre, xrefs: 00894CAD
iSCSI, xrefs: 00894CC2
Removable, xrefs: 00894C10, 00894C15
RAMDisk, xrefs: 00894BF4
SSA, xrefs: 00894CA6
SATA, xrefs: 00894CD0
USB, xrefs: 00894CB4

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 03f9c829acc10729346269158222352be3d146be363f44c0e8387f63cfe0fb6e
Instruction ID: 2349df969a6659254fe6bcf197a1ae7a6de2e2c28764ad9a32720612c371776a
Opcode Fuzzy Hash: 03f9c829acc10729346269158222352be3d146be363f44c0e8387f63cfe0fb6e
Instruction Fuzzy Hash: 8661C0307052499FCF04FF69CA81D6877A0FB15388B285055F816EB391EB3AED52DB42

Function 008B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008B7421
SetTextColor.GDI32(?,?), ref: 008B7425
GetSysColorBrush.USER32(0000000F), ref: 008B743B
GetSysColor.USER32(0000000F), ref: 008B7446
CreateSolidBrush.GDI32(?), ref: 008B744B
GetSysColor.USER32(00000011), ref: 008B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008B7471
SelectObject.GDI32(?,00000000), ref: 008B7482
SetBkColor.GDI32(?,00000000), ref: 008B748B
SelectObject.GDI32(?,?), ref: 008B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008B7572
DrawFocusRect.USER32(?,?), ref: 008B757D
GetSysColor.USER32(00000011), ref: 008B758E
SetTextColor.GDI32(?,00000000), ref: 008B7596
DrawTextW.USER32(?,008B70F5,000000FF,?,00000000), ref: 008B75A8
SelectObject.GDI32(?,?), ref: 008B75BF
DeleteObject.GDI32(?), ref: 008B75CA
SelectObject.GDI32(?,?), ref: 008B75D0
DeleteObject.GDI32(?), ref: 008B75D5
SetTextColor.GDI32(?,?), ref: 008B75DB
SetBkColor.GDI32(?,?), ref: 008B75E5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: eea954f58c11f9c1dd4252607839df272e518cdb59485312cd99180bab447c00
Instruction ID: c80ca0e09a4b504aac9fac5718f3c63cf3099445789af429a87dcf7a3222084d
Opcode Fuzzy Hash: eea954f58c11f9c1dd4252607839df272e518cdb59485312cd99180bab447c00
Instruction Fuzzy Hash: 4B615C72904218AFDF119FA8DC49EEEBFB9FB49320F114215F915BB2A1D7749940CBA0

Function 008B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008B1128
GetDesktopWindow.USER32 ref: 008B113D
GetWindowRect.USER32(00000000), ref: 008B1144
GetWindowLongW.USER32(?,000000F0), ref: 008B1199
DestroyWindow.USER32(?), ref: 008B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008B1245
IsWindowVisible.USER32(00000000), ref: 008B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008B12D0
GetWindowRect.USER32(00000000,?), ref: 008B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008B130E
GetMonitorInfoW.USER32(00000000,?), ref: 008B1328
CopyRect.USER32(?,?), ref: 008B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008B13AA

Strings

0, xrefs: 008B10D3
(, xrefs: 008B131B
tooltips_class32, xrefs: 008B11E6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 761fb0b1b1946b4b83a568a4973fd9ee23eca2f2f7b0e6899a0efaed170ea093
Instruction ID: 4371d5f3e8250f0cf8e8e057ee67c5fa5d672450b1dc909e4923214a4ac84106
Opcode Fuzzy Hash: 761fb0b1b1946b4b83a568a4973fd9ee23eca2f2f7b0e6899a0efaed170ea093
Instruction Fuzzy Hash: EAB19E71604351AFDB10DF68C898BAABBE4FF88350F40891CF999DB261D771E845CB92

Function 008B0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008B02E5
_wcslen.LIBCMT ref: 008B031F
_wcslen.LIBCMT ref: 008B0389
_wcslen.LIBCMT ref: 008B03F1
_wcslen.LIBCMT ref: 008B0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008B04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008B0504

Part of subcall function 0083F9F2: _wcslen.LIBCMT ref: 0083F9FD

Part of subcall function 0088223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00882258
Part of subcall function 0088223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0088228A

Strings

GETSELECTED, xrefs: 008B05E1
GETSELECTEDCOUNT, xrefs: 008B0470, 008B048B
VIEWCHANGE, xrefs: 008B0675
SELECT, xrefs: 008B0548
GETITEMCOUNT, xrefs: 008B0316, 008B0337
GETSUBITEMCOUNT, xrefs: 008B0384, 008B039F
DESELECT, xrefs: 008B059C
SELECTCLEAR, xrefs: 008B052D
SELECTINVERT, xrefs: 008B057E
GETTEXT, xrefs: 008B03EC, 008B0407
FINDITEM, xrefs: 008B0627
ISSELECTED, xrefs: 008B04DD
SELECTALL, xrefs: 008B0515

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 8e3b07496623fb94559b4bc4c52d5036a34f9e25abcb8e8841a9f574a15ed05f
Instruction ID: f30e3c9ea41b019998cca4ca9a893ae70aac8ee5d8b2de448b4f9e6ffef4bfec
Opcode Fuzzy Hash: 8e3b07496623fb94559b4bc4c52d5036a34f9e25abcb8e8841a9f574a15ed05f
Instruction Fuzzy Hash: A9E18D312083558BC724DF28D55096BB7E5FF99318B14455CF896EB3A2DB30ED45CB82

Function 00838891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00838968
GetSystemMetrics.USER32(00000007), ref: 00838970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0083899B
GetSystemMetrics.USER32(00000008), ref: 008389A3
GetSystemMetrics.USER32(00000004), ref: 008389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00838A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00838A3C
GetClientRect.USER32(00000000,000000FF), ref: 00838A5A
GetStockObject.GDI32(00000011), ref: 00838A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00838A81

Part of subcall function 0083912D: GetCursorPos.USER32(?), ref: 00839141
Part of subcall function 0083912D: ScreenToClient.USER32(00000000,?), ref: 0083915E
Part of subcall function 0083912D: GetAsyncKeyState.USER32(00000001), ref: 00839183
Part of subcall function 0083912D: GetAsyncKeyState.USER32(00000002), ref: 0083919D

SetTimer.USER32(00000000,00000000,00000028,008390FC), ref: 00838AA8

Strings

AutoIt v3 GUI, xrefs: 00838A20

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: aac56a2cff718a83173a6095c7b3f7da4e97a23b2e5fa36d520c5ad520208eb0
Instruction ID: 3c60753b8da929924323be31de87b0ad36320ac8e9991d176114a2ab0e27b94d
Opcode Fuzzy Hash: aac56a2cff718a83173a6095c7b3f7da4e97a23b2e5fa36d520c5ad520208eb0
Instruction Fuzzy Hash: E3B13971A0020ADFDF14DFA8CD49BAA7BA5FB48354F108229FA15E7294DB74E850CB91

Function 00880D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00881114
Part of subcall function 008810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881120
Part of subcall function 008810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 0088112F
Part of subcall function 008810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881136
Part of subcall function 008810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0088114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00880DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00880E29
GetLengthSid.ADVAPI32(?), ref: 00880E40
GetAce.ADVAPI32(?,00000000,?), ref: 00880E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00880E96
GetLengthSid.ADVAPI32(?), ref: 00880EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00880EB5
HeapAlloc.KERNEL32(00000000), ref: 00880EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00880EDD
CopySid.ADVAPI32(00000000), ref: 00880EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00880F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00880F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00880F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880F6E
HeapFree.KERNEL32(00000000), ref: 00880F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880F7E
HeapFree.KERNEL32(00000000), ref: 00880F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00880F8E
HeapFree.KERNEL32(00000000), ref: 00880F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00880FA1
HeapFree.KERNEL32(00000000), ref: 00880FA8

Part of subcall function 00881193: GetProcessHeap.KERNEL32(00000008,00880BB1,?,00000000,?,00880BB1,?), ref: 008811A1
Part of subcall function 00881193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00880BB1,?), ref: 008811A8
Part of subcall function 00881193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00880BB1,?), ref: 008811B7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6571b1d54e5c3076ba6182b46db217bd795fca4c7973c1bc51a00e693167b964
Instruction ID: 47c3ed3dd8f2d3341a687dfa9524cd0445198bfac27f5224965a67ebc48ff926
Opcode Fuzzy Hash: 6571b1d54e5c3076ba6182b46db217bd795fca4c7973c1bc51a00e693167b964
Instruction Fuzzy Hash: 47715E7190420AABDF60AFA4DC48FAEBBB8FF05350F148215FA59E6191DB719909CF60

Function 008AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008BCC08,00000000,?,00000000,?,?), ref: 008AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008AC5A4
_wcslen.LIBCMT ref: 008AC5F4
_wcslen.LIBCMT ref: 008AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008AC84D
RegCloseKey.ADVAPI32(?), ref: 008AC881
RegCloseKey.ADVAPI32(00000000), ref: 008AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008AC960

Strings

REG_QWORD, xrefs: 008AC8C3
REG_SZ, xrefs: 008AC644
REG_MULTI_SZ, xrefs: 008AC6F5
REG_EXPAND_SZ, xrefs: 008AC5CD
REG_BINARY, xrefs: 008AC913
REG_DWORD, xrefs: 008AC804

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8b4728cc52da50e48e6cd26ccfe3cb42c3dd30ff3bdf7c517ac3d9052bc06fea
Instruction ID: 217dcab8158d6ae91ecddbce245f8470dc6e44093aac99e4621e9ad3ca3290c9
Opcode Fuzzy Hash: 8b4728cc52da50e48e6cd26ccfe3cb42c3dd30ff3bdf7c517ac3d9052bc06fea
Instruction Fuzzy Hash: 011278356042119FDB14DF19D881A2AB7E5FF89714F04886CF89ADB7A2DB35EC41CB82

Function 008B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008B09C6
_wcslen.LIBCMT ref: 008B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008B0A54
_wcslen.LIBCMT ref: 008B0A8A
_wcslen.LIBCMT ref: 008B0B06
_wcslen.LIBCMT ref: 008B0B81

Part of subcall function 0083F9F2: _wcslen.LIBCMT ref: 0083F9FD

Part of subcall function 00882BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00882BFA

Strings

GETSELECTED, xrefs: 008B0C4E
COLLAPSE, xrefs: 008B0B01, 008B0B1C
GETITEMCOUNT, xrefs: 008B0C1E
ISCHECKED, xrefs: 008B0CE1
EXISTS, xrefs: 008B0B7C, 008B0B97
GETTOTALCOUNT, xrefs: 008B09F2, 008B0A17
UNCHECK, xrefs: 008B0D3E
EXPAND, xrefs: 008B0BF8
CHECK, xrefs: 008B0A85, 008B0AA0
GETTEXT, xrefs: 008B0C97
SELECT, xrefs: 008B0D11

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 540b59b8d1a490325614e90f419cf208fd7275235f3e3bd8f2fd5f62d0a72379
Instruction ID: 372007cc91bfe2f6674a3e0db2338c3811b00633ed5547521934e11afb192905
Opcode Fuzzy Hash: 540b59b8d1a490325614e90f419cf208fd7275235f3e3bd8f2fd5f62d0a72379
Instruction Fuzzy Hash: 32E168312083518FC714EF29C45096ABBE1FF99358B14895DF896EB3A2DB31ED45CB82

Function 008AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008AB6AE,?,?), ref: 008AC9B5
_wcslen.LIBCMT ref: 008AC9F1
_wcslen.LIBCMT ref: 008ACA68
_wcslen.LIBCMT ref: 008ACA9E
_wcslen.LIBCMT ref: 008ACAF9
_wcslen.LIBCMT ref: 008ACB2F
_wcslen.LIBCMT ref: 008ACB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 008ACA62, 008ACA67
HKCU, xrefs: 008ACBCE
HKEY_CURRENT_CONFIG, xrefs: 008ACB79, 008ACB7E
HKEY_USERS, xrefs: 008ACBDF
HKCR, xrefs: 008ACB29, 008ACB2E
HKCC, xrefs: 008ACBAC
HKLM, xrefs: 008ACA98, 008ACA9D
HKEY_CURRENT_USER, xrefs: 008ACBBD
HKU, xrefs: 008ACBF0
HKEY_CLASSES_ROOT, xrefs: 008ACAF3, 008ACAF8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7172912a2b4a9fb22247f9ca502a4857b0755248508e4b8e8eb0a305dcfd5428
Instruction ID: b930ebf7adfac22819056f42f4db287908aec2c9c93ea5e154a798e8c5470e3d
Opcode Fuzzy Hash: 7172912a2b4a9fb22247f9ca502a4857b0755248508e4b8e8eb0a305dcfd5428
Instruction Fuzzy Hash: 5F71047260017A8BEB20DE7CCC416BA3791FB62764F150124F866DB694EA35DD86C3A1

Function 008B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B835A
_wcslen.LIBCMT ref: 008B836E
_wcslen.LIBCMT ref: 008B8391
_wcslen.LIBCMT ref: 008B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008B5BF2), ref: 008B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008B8501
FreeLibrary.KERNEL32(?), ref: 008B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008B851D
DestroyIcon.USER32(?,?,?,?,?,008B5BF2), ref: 008B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008B8555

Strings

.exe, xrefs: 008B8388
.dll, xrefs: 008B83AB
.icl, xrefs: 008B8368

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 1bbf9f903b5af504b2616683eca62b30f2862d3c88fc23142b3cf51aeb7bc313
Instruction ID: d470b8a6e70f11fde956a4c7f0893289102f5176856fb012347db9a1bbe43ede
Opcode Fuzzy Hash: 1bbf9f903b5af504b2616683eca62b30f2862d3c88fc23142b3cf51aeb7bc313
Instruction Fuzzy Hash: CC619D71540619FAEB24DF68DC81BFE7BACFB08B11F104609F815D62D1DB74A980DBA0

Function 00827778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00827817
#notrayicon, xrefs: 008277E7
#comments-start, xrefs: 0082785F, 008278B1
#comments-end, xrefs: 008278D9
Unterminated group of comments, xrefs: 0086528C
#cs, xrefs: 00827873, 008278C5
#include, xrefs: 00827847
', xrefs: 00865169
#ce, xrefs: 008278ED
", xrefs: 00865153
#pragma compile, xrefs: 008277D3
#requireadmin, xrefs: 008277FF
Bad directive syntax error, xrefs: 0086519A
Cannot parse #include, xrefs: 00865279
#include-once, xrefs: 0082782F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 51e950d1944a7b0681e58b7f23de763e373bb46b7755aa8dd5c91dac59eb021c
Instruction ID: a552580d651358feb62bc8fcb35d37cfda243ecef22123fc14bbe316d16d0474
Opcode Fuzzy Hash: 51e950d1944a7b0681e58b7f23de763e373bb46b7755aa8dd5c91dac59eb021c
Instruction Fuzzy Hash: 7E81E871604229BFDB20AF65EC52FAE37A8FF55300F044025F905EA296EB74DA91C792

Function 00893E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00893EF8
_wcslen.LIBCMT ref: 00893F03
_wcslen.LIBCMT ref: 00893F5A
_wcslen.LIBCMT ref: 00893F98
GetDriveTypeW.KERNEL32(?), ref: 00893FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0089401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00894059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00894087

Strings

close cd wait, xrefs: 00894072
closed, xrefs: 00893F08, 00893F2D, 00893F46, 00893F7E, 00893F97
wait, xrefs: 00894044
set cd door , xrefs: 00894028
open , xrefs: 00893FE5
open, xrefs: 00893F54, 00893F59
type cdaudio alias cd wait, xrefs: 00894001
close, xrefs: 00893EFE, 00893F18

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: df4914379dd41307db845fd8ff4cd401376fe5ba087f3b1394ed0fbcfa0a33d8
Instruction ID: c1de0daf5f5957bff0e2ecd00a2b54053e6f75812e53215b527bab133a34e446
Opcode Fuzzy Hash: df4914379dd41307db845fd8ff4cd401376fe5ba087f3b1394ed0fbcfa0a33d8
Instruction Fuzzy Hash: 7A71D2326042119FCB10EF28C88096AB7F4FFA5768F14492DF995D7251EB31ED4ACB92

Function 00885A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00885A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00885A40
SetWindowTextW.USER32(?,?), ref: 00885A57
GetDlgItem.USER32(?,000003EA), ref: 00885A6C
SetWindowTextW.USER32(00000000,?), ref: 00885A72
GetDlgItem.USER32(?,000003E9), ref: 00885A82
SetWindowTextW.USER32(00000000,?), ref: 00885A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00885AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00885AC3
GetWindowRect.USER32(?,?), ref: 00885ACC
_wcslen.LIBCMT ref: 00885B33
SetWindowTextW.USER32(?,?), ref: 00885B6F
GetDesktopWindow.USER32 ref: 00885B75
GetWindowRect.USER32(00000000), ref: 00885B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00885BD3
GetClientRect.USER32(?,?), ref: 00885BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00885C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00885C2F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 31e48a402912ec5e4bfd4b099de07462d1567aafe14a97143365035b442fb64f
Instruction ID: b975a944554a171d4eb05ad739750de09c4b4ddd24c8ef03257936ab651b85df
Opcode Fuzzy Hash: 31e48a402912ec5e4bfd4b099de07462d1567aafe14a97143365035b442fb64f
Instruction Fuzzy Hash: 67716E31900B09AFDB20EFA8CE85EAEBBF5FF58714F104618E582E65A0D775E944CB50

Function 0089FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0089FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0089FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0089FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0089FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0089FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0089FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0089FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0089FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0089FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0089FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0089FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0089FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0089FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0089FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0089FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0089FECC
GetCursorInfo.USER32(?), ref: 0089FEDC
GetLastError.KERNEL32 ref: 0089FF1E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 65decfafd553fdb2149d3fd0ac3d2c23f9400405415b46ea53c38af19a7e8f06
Instruction ID: 85d677c20620c01c7382e1104b8b363ad167c3eb109a3525aeac141fcdc1cffc
Opcode Fuzzy Hash: 65decfafd553fdb2149d3fd0ac3d2c23f9400405415b46ea53c38af19a7e8f06
Instruction Fuzzy Hash: EF4144B0D443196ADB10DFBA8C8985EBFE8FF04754B54452AF11DE7281DB789901CE91

Function 008400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008400C6

Part of subcall function 008400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008F070C,00000FA0,02B073D4,?,?,?,?,008623B3,000000FF), ref: 0084011C
Part of subcall function 008400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008623B3,000000FF), ref: 00840127
Part of subcall function 008400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008623B3,000000FF), ref: 00840138
Part of subcall function 008400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0084014E
Part of subcall function 008400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0084015C
Part of subcall function 008400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0084016A
Part of subcall function 008400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00840195
Part of subcall function 008400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008401A0

___scrt_fastfail.LIBCMT ref: 008400E7

Part of subcall function 008400A3: __onexit.LIBCMT ref: 008400A9

Strings

SleepConditionVariableCS, xrefs: 00840154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00840122
InitializeConditionVariable, xrefs: 00840148
kernel32.dll, xrefs: 00840133
WakeAllConditionVariable, xrefs: 00840162

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 5b88fa48070d0b560962a3f4cd85c14d51d054ab033ec0c98aafc074c3e23b40
Instruction ID: e9ff88985b9e71ec2c17fae6b322d3a94541e2b4653fc1466cdab484c8095310
Opcode Fuzzy Hash: 5b88fa48070d0b560962a3f4cd85c14d51d054ab033ec0c98aafc074c3e23b40
Instruction Fuzzy Hash: 6021F932A447186FD7106B78AC45B6B37D8FB44B51F040639FB11E6393DB7898008EA1

Function 008830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088318D
_wcslen.LIBCMT ref: 008831F8

Strings

CLASSNN, xrefs: 008831F3, 00883204
TEXT, xrefs: 0088347C
INSTANCE, xrefs: 00883453
NAME, xrefs: 00883335, 00883346
REGEXPCLASS, xrefs: 00883255, 00883266
CLASS, xrefs: 00883188, 008831A5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 888508e003491c5539d1ddaa371dd190424a0e2e64f8283781e255a55c758128
Instruction ID: ec6935ed2f3a57fbd0a3f87d07969f55b38f12d450ff15b83784883508782707
Opcode Fuzzy Hash: 888508e003491c5539d1ddaa371dd190424a0e2e64f8283781e255a55c758128
Instruction Fuzzy Hash: 0DE1E631A0052AABCB18EFA8C4517EEBBB0FF54B14F548129E456F7240DB70AF858790

Function 008944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008BCC08), ref: 00894527
_wcslen.LIBCMT ref: 0089453B
_wcslen.LIBCMT ref: 00894599
_wcslen.LIBCMT ref: 008945F4
_wcslen.LIBCMT ref: 0089463F
_wcslen.LIBCMT ref: 008946A7

Part of subcall function 0083F9F2: _wcslen.LIBCMT ref: 0083F9FD

GetDriveTypeW.KERNEL32(?,008E6BF0,00000061), ref: 00894743

Strings

fixed, xrefs: 00894635, 0089463A
network, xrefs: 0089469D, 008946A2
ramdisk, xrefs: 008946F1
cdrom, xrefs: 0089458F, 00894594
unknown, xrefs: 00894708
all, xrefs: 00894531, 00894536
removable, xrefs: 008945EA, 008945EF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 079027668007a583b25529f7075c169777fd312c2931a535943c60ab34967418
Instruction ID: b0e1aeea75d2da7f2cb62a8f9f86ae9ea9e0f1789139cdd22a49db5c3f94c6ba
Opcode Fuzzy Hash: 079027668007a583b25529f7075c169777fd312c2931a535943c60ab34967418
Instruction Fuzzy Hash: C8B122716083029FCB10EF28C890E6AB7E5FFA5764F18591CF496C7291E730D886CB92

Function 008A3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008BCC08), ref: 008A40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008A40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,008BCC08), ref: 008A40F2
FreeLibrary.KERNEL32(00000000,?,008BCC08), ref: 008A413E
StringFromGUID2.OLE32(?,?,00000028,?,008BCC08), ref: 008A41A8
SysFreeString.OLEAUT32(00000009), ref: 008A4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008A42C8
SysFreeString.OLEAUT32(?), ref: 008A42F2

Strings

GetModuleHandleExW, xrefs: 008A40C7
kernel32.dll, xrefs: 008A40B6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 349a4860b1127c82ea5212a180cee510391708eacf42448d6625ca3e135d3b38
Instruction ID: 6999fdaffd57db382968eec8007bae7a18e26cfa049471650c31bf84262d6925
Opcode Fuzzy Hash: 349a4860b1127c82ea5212a180cee510391708eacf42448d6625ca3e135d3b38
Instruction Fuzzy Hash: 70122875A00119AFEF14CF54C884EAEB7B5FF8A318F248098E905DB651D771ED86CBA0

Function 0082326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008F1990), ref: 00862F8D
GetMenuItemCount.USER32(008F1990), ref: 0086303D
GetCursorPos.USER32(?), ref: 00863081
SetForegroundWindow.USER32(00000000), ref: 0086308A
TrackPopupMenuEx.USER32(008F1990,00000000,?,00000000,00000000,00000000), ref: 0086309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008630A9

Strings

0, xrefs: 0082327D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 79cb9f469a64b297638626a6bdc9481286b05c8be1e17944d442da632cd7cce2
Instruction ID: 4d36d9266eed3826280305fc2a3ff7a4541b352b459f6e14514f47cbbf3e33e0
Opcode Fuzzy Hash: 79cb9f469a64b297638626a6bdc9481286b05c8be1e17944d442da632cd7cce2
Instruction Fuzzy Hash: A2714970640615BFEB319F28DC59FAABF69FF05324F200216F524EA1E1CBB1A950CB91

Function 008B6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 008B6DEB

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008B6E94
DestroyWindow.USER32(?), ref: 008B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00820000,00000000), ref: 008B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008B6EFD
GetDesktopWindow.USER32 ref: 008B6F16
GetWindowRect.USER32(00000000), ref: 008B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008B6F4D

Part of subcall function 00839944: GetWindowLongW.USER32(?,000000EB), ref: 00839952

Strings

tooltips_class32, xrefs: 008B6E58, 008B6EDD
0, xrefs: 008B6D98

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5c908e60ee56db38296b7cd67abb62807e60484429db0af0479bafc4abf2b0be
Instruction ID: 4243e86b87fe9d0374ae784c242b4c81d9381f4d5f355739296737a475e80b91
Opcode Fuzzy Hash: 5c908e60ee56db38296b7cd67abb62807e60484429db0af0479bafc4abf2b0be
Instruction Fuzzy Hash: 5A717571604244AFDB20CF28D848EBABBE9FB99304F54051DF989C7360EB74E915CB12

Function 008B911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

DragQueryPoint.SHELL32(?,?), ref: 008B9147

Part of subcall function 008B7674: ClientToScreen.USER32(?,?), ref: 008B769A
Part of subcall function 008B7674: GetWindowRect.USER32(?,?), ref: 008B7710
Part of subcall function 008B7674: PtInRect.USER32(?,?,008B8B89), ref: 008B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008B9277
DragFinish.SHELL32(?), ref: 008B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008B9371

Strings

@GUI_DRAGID, xrefs: 008B92E9
@GUI_DRAGFILE, xrefs: 008B9320
@GUI_DROPID, xrefs: 008B929E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ee727764eb3a60173023def158e11665e10a40add2467ccedd0168e6985cec10
Instruction ID: 882b07c7f91c6c80dbae6145a078486756178aa71cc5a1735179e0997911e313
Opcode Fuzzy Hash: ee727764eb3a60173023def158e11665e10a40add2467ccedd0168e6985cec10
Instruction Fuzzy Hash: 6D614971108305AFD701DF64D885DABBBE8FF99750F000A2DF695922A1DB709A49CB62

Function 0089C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0089C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0089C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0089C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0089C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0089C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0089C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0089C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0089C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0089C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0089C5F0
InternetCloseHandle.WININET(00000000), ref: 0089C5FB

Strings

, xrefs: 0089C575

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9b39e60eb03b45ef0bb432e5e3b4f3f512c576fc48c6ee02d4a11269c5563832
Instruction ID: b9b0d112cd42726212ff6e5d88bf696f3729ef6a9e9e2614ace195a0aa8da9de
Opcode Fuzzy Hash: 9b39e60eb03b45ef0bb432e5e3b4f3f512c576fc48c6ee02d4a11269c5563832
Instruction Fuzzy Hash: 1A516CB0600208BFEF21AF65C988AAB7BFCFF08744F044519F946D6610DB72E944DBA1

Function 008B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008B8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85BA
GlobalLock.KERNEL32(00000000), ref: 008B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85D7
GlobalUnlock.KERNEL32(00000000), ref: 008B85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008B85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008BFC38,?), ref: 008B8611
GlobalFree.KERNEL32(00000000), ref: 008B8621
GetObjectW.GDI32(?,00000018,?), ref: 008B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008B8671
DeleteObject.GDI32(?), ref: 008B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008B86AF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 20bc583f0b41de7e9b86db23167736cd5bbe1b8d3bb852dc5fe590e2257203e0
Instruction ID: 1d5daf5a1d4363b395712d3595b26e8648db67902bee1c67c4a48b2d2de7ce63
Opcode Fuzzy Hash: 20bc583f0b41de7e9b86db23167736cd5bbe1b8d3bb852dc5fe590e2257203e0
Instruction Fuzzy Hash: 6D410975600209EFDB119FA5CC48EAA7BBCFF99715F104159F919E7260DB309901CB60

Function 008914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00891502
VariantCopy.OLEAUT32(?,?), ref: 0089150B
VariantClear.OLEAUT32(?), ref: 00891517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00891657
VariantInit.OLEAUT32(?), ref: 00891708
SysFreeString.OLEAUT32(?), ref: 0089178C
VariantClear.OLEAUT32(?), ref: 008917D8
VariantClear.OLEAUT32(?), ref: 008917E7
VariantInit.OLEAUT32(00000000), ref: 00891823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00891625
Default, xrefs: 008916AF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: cb06ba2234237efc66bb3ab4c5bc5f816881fbb7f3c1b95997639f430d0a81a2
Instruction ID: 9e919926a52ccd943bcdb2de52db65956d8fa1142b013d0ace2d4548d3b57a9c
Opcode Fuzzy Hash: cb06ba2234237efc66bb3ab4c5bc5f816881fbb7f3c1b95997639f430d0a81a2
Instruction Fuzzy Hash: AFD1E131A0811AEBDF00AF69D889B79B7B5FF44704F1A8056F446EB291DB30DD41DBA2

Function 008AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 008AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008AB6AE,?,?), ref: 008AC9B5
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008AC9F1
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA68
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008AB80A
RegCloseKey.ADVAPI32(?), ref: 008AB87E
RegCloseKey.ADVAPI32(?), ref: 008AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008AB922
FreeLibrary.KERNEL32(00000000), ref: 008AB983
RegCloseKey.ADVAPI32(00000000), ref: 008AB994

Strings

advapi32.dll, xrefs: 008AB8ED
RegDeleteKeyExW, xrefs: 008AB8FE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4a1d3ffe827af83942b1744e688e41e5ace7d63c449fefc858189759cb818979
Instruction ID: 74658c3b57d3efcd053595631b454b49224004d3b49e35da172b559c92fcf38f
Opcode Fuzzy Hash: 4a1d3ffe827af83942b1744e688e41e5ace7d63c449fefc858189759cb818979
Instruction Fuzzy Hash: 00C17D30204241AFE714DF18C494F2ABBE5FF85318F18855CF49A8B6A2DB75ED85CB92

Function 008A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008A25E8
CreateCompatibleDC.GDI32(?), ref: 008A25F4
SelectObject.GDI32(00000000,?), ref: 008A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008A26D0
SelectObject.GDI32(?,?), ref: 008A26D8
DeleteObject.GDI32(?), ref: 008A26E1
DeleteDC.GDI32(?), ref: 008A26E8
ReleaseDC.USER32(00000000,?), ref: 008A26F3

Strings

(, xrefs: 008A268D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7378cb07135253f90438d0db0d7edaaf050432823cb95730f59bcb26b844b09a
Instruction ID: e317f491ffa65600fdaad8a63cae396bfc45f060e8f51135c85d91fca7e7c054
Opcode Fuzzy Hash: 7378cb07135253f90438d0db0d7edaaf050432823cb95730f59bcb26b844b09a
Instruction Fuzzy Hash: AE61D175D00219EFDF14CFA8D984AAEBBB5FF48310F208529E955E7250E770A951CFA0

Function 0085DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0085DAA1

Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D659
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D66B
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D67D
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D68F
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6A1
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6B3
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6C5
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6D7
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6E9
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D6FB
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D70D
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D71F
Part of subcall function 0085D63C: _free.LIBCMT ref: 0085D731

_free.LIBCMT ref: 0085DA96

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 0085DAB8
_free.LIBCMT ref: 0085DACD
_free.LIBCMT ref: 0085DAD8
_free.LIBCMT ref: 0085DAFA
_free.LIBCMT ref: 0085DB0D
_free.LIBCMT ref: 0085DB1B
_free.LIBCMT ref: 0085DB26
_free.LIBCMT ref: 0085DB5E
_free.LIBCMT ref: 0085DB65
_free.LIBCMT ref: 0085DB82
_free.LIBCMT ref: 0085DB9A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fe5c2065ee3ebae3ac6d47f5cd47bdae3af7281c3fc528eb5de6cfccf7fd262a
Instruction ID: 3ea79b260e6c07ce6985714f27925c397bdbd5ec0b29806bba12cfac4f2621c0
Opcode Fuzzy Hash: fe5c2065ee3ebae3ac6d47f5cd47bdae3af7281c3fc528eb5de6cfccf7fd262a
Instruction Fuzzy Hash: 44314D316047059FEB32AA39E845F967BE9FF01322F554419EC49E7291DF31AC48C722

Function 0088365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0088369C
_wcslen.LIBCMT ref: 008836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00883797
GetClassNameW.USER32(?,?,00000400), ref: 0088380C
GetDlgCtrlID.USER32(?), ref: 0088385D
GetWindowRect.USER32(?,?), ref: 00883882
GetParent.USER32(?), ref: 008838A0
ScreenToClient.USER32(00000000), ref: 008838A7
GetClassNameW.USER32(?,?,00000100), ref: 00883921
GetWindowTextW.USER32(?,?,00000400), ref: 0088395D

Strings

%s%u, xrefs: 00883734

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2c6b042df18f8c07d307d9924c054a7126b595b3be7280f03945331fd9b9aa41
Instruction ID: ee78a1b62c4cb6a1e0348f31af1a71819e8d16c8bed38a1a023fad3813093c28
Opcode Fuzzy Hash: 2c6b042df18f8c07d307d9924c054a7126b595b3be7280f03945331fd9b9aa41
Instruction Fuzzy Hash: 1491D571204706AFD719EF24C885FAAFBE8FF45750F008629F999C2191EB30EA45CB91

Function 00884954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00884994
GetWindowTextW.USER32(?,?,00000400), ref: 008849DA
_wcslen.LIBCMT ref: 008849EB
CharUpperBuffW.USER32(?,00000000), ref: 008849F7
_wcsstr.LIBVCRUNTIME ref: 00884A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00884A64
GetWindowTextW.USER32(?,?,00000400), ref: 00884A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00884AE6
GetClassNameW.USER32(?,?,00000400), ref: 00884B20
GetWindowRect.USER32(?,?), ref: 00884B8B

Strings

ThumbnailClass, xrefs: 00884A6F, 00884AF1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b65e37d36327e7e16f456498640e9f3ec233c07f061185b2dcc430e1d496747f
Instruction ID: e46815ce231884afa7c6bc5a18cba61ade972d7dcaf87614c303f0ad92aaada7
Opcode Fuzzy Hash: b65e37d36327e7e16f456498640e9f3ec233c07f061185b2dcc430e1d496747f
Instruction Fuzzy Hash: 1791E27200420A9FDB04EF54C981FAA77E9FF44314F04946AFD85DA096EB34ED45CBA2

Function 008B8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008B8D5A
GetFocus.USER32 ref: 008B8D6A
GetDlgCtrlID.USER32(00000000), ref: 008B8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008B8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008B8ECF
GetMenuItemCount.USER32(?), ref: 008B8EEC
GetMenuItemID.USER32(?,00000000), ref: 008B8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008B8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008B8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008B8FA1

Strings

0, xrefs: 008B8E9F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e0dc111b2525af3576fa7890ccd372dd7b57634d3035c4fc88d76bd2e3ef1ce6
Instruction ID: d087161805b1e3f8a41304aa4c4a957e28cbf44bbb335c6799d6d3e35862b75b
Opcode Fuzzy Hash: e0dc111b2525af3576fa7890ccd372dd7b57634d3035c4fc88d76bd2e3ef1ce6
Instruction Fuzzy Hash: 47816A71508305EFDB20CF24D885AABBBE9FB88754F140A1AF995D7391DB70D900CBA2

Function 0088BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008F1990,000000FF,00000000,00000030), ref: 0088BFAC
SetMenuItemInfoW.USER32(008F1990,00000004,00000000,00000030), ref: 0088BFE1
Sleep.KERNEL32(000001F4), ref: 0088BFF3
GetMenuItemCount.USER32(?), ref: 0088C039
GetMenuItemID.USER32(?,00000000), ref: 0088C056
GetMenuItemID.USER32(?,-00000001), ref: 0088C082
GetMenuItemID.USER32(?,?), ref: 0088C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0088C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0088C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0088C145

Strings

0, xrefs: 0088BF3D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 7aef35c0b3379b536b914f7272893938999d4666e41ffe8010089945ad6409e9
Instruction ID: 8e4e2b87daf91e047b5ddf2833ecca6eca76b4e3bd6cbe5edd791c0c25bf62b8
Opcode Fuzzy Hash: 7aef35c0b3379b536b914f7272893938999d4666e41ffe8010089945ad6409e9
Instruction Fuzzy Hash: 90618CB090024AEFDF21EF68DC88EAEBBA8FB45344F100115E911E3292DB35AD04CB71

Function 0088DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0088DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0088DC46
_wcslen.LIBCMT ref: 0088DC50
_wcsstr.LIBVCRUNTIME ref: 0088DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0088DCBC

Strings

\VarFileInfo\Translation, xrefs: 0088DCB4
04090000, xrefs: 0088DCF2
StringFileInfo\, xrefs: 0088DC8F
DefaultLangCodepage, xrefs: 0088DD1F
%u.%u.%u.%u, xrefs: 0088DD9A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a9564a0fc4f3b20c90cac38b037b385d357a310fb0c31b09473a3e0dc6ecae44
Instruction ID: ab599db7aae582dc4b9ba73ea3edb20154b6d063e91af39bcb63b7deb34f5e76
Opcode Fuzzy Hash: a9564a0fc4f3b20c90cac38b037b385d357a310fb0c31b09473a3e0dc6ecae44
Instruction Fuzzy Hash: A141E0329403197BDB20B66ADC47EBF776CFF52760F10006AF904E6283EA64990197A6

Function 008ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008ACD48

Part of subcall function 008ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008ACCAA
Part of subcall function 008ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008ACCBD
Part of subcall function 008ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008ACCCF
Part of subcall function 008ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008ACD05
Part of subcall function 008ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008ACCF3

Strings

advapi32.dll, xrefs: 008ACCB8
RegDeleteKeyExW, xrefs: 008ACCC9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: bf8d49b810837472354f64ab388034f5493d0344c58de04d7e192c1e6d1c4a11
Instruction ID: 8ecb441910474e85251d9512b487c105aa74510a8d1ff2803ee300b32d83d99e
Opcode Fuzzy Hash: bf8d49b810837472354f64ab388034f5493d0344c58de04d7e192c1e6d1c4a11
Instruction Fuzzy Hash: F5318D71901128BBEB209B95DC88EFFBB7CFF16750F000165F916E2240DB749A46DAB0

Function 00893D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00893D40
_wcslen.LIBCMT ref: 00893D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00893D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00893DBE
RemoveDirectoryW.KERNEL32(?), ref: 00893DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00893E55
CloseHandle.KERNEL32(00000000), ref: 00893E60
CloseHandle.KERNEL32(00000000), ref: 00893E6B

Strings

\, xrefs: 00893D77
\??\%s, xrefs: 00893D5B
:, xrefs: 00893D82

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9e08bc0357ff0d3d8f2424ea4ad20bab93a4ca007d010035f29b771f1655669a
Instruction ID: 747a05c64eaad838ce8c21ffcb58e6e4391d8edfa9efba1ec1392e56a1f07788
Opcode Fuzzy Hash: 9e08bc0357ff0d3d8f2424ea4ad20bab93a4ca007d010035f29b771f1655669a
Instruction Fuzzy Hash: 2031AD7290420AABDB20ABA4DC48FAF37BCFF88700F1441B5F619D6160EB7497448B24

Function 0088E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0088E6B4

Part of subcall function 0083E551: timeGetTime.WINMM(?,?,0088E6D4), ref: 0083E555

Sleep.KERNEL32(0000000A), ref: 0088E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0088E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0088E727
SetActiveWindow.USER32 ref: 0088E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0088E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0088E773
Sleep.KERNEL32(000000FA), ref: 0088E77E
IsWindow.USER32 ref: 0088E78A
EndDialog.USER32(00000000), ref: 0088E79B

Strings

BUTTON, xrefs: 0088E719

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a1428e8900b675f98284af4cfea6d56455672c80c483387f0b4f29c122f30612
Instruction ID: dfff6b3824257e712ed5fd4e42a813a446f9cc423365971a3ea3d96022add3d1
Opcode Fuzzy Hash: a1428e8900b675f98284af4cfea6d56455672c80c483387f0b4f29c122f30612
Instruction Fuzzy Hash: CF215EB0200605AFEB10BFB4EDC9E363B69FB65B49F101525F516C22B1EBB5AC00DB25

Function 0088E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0088EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0088EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0088EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0088EAA7

Strings

close PlayMe, xrefs: 0088EA6E, 0088EA9B
play PlayMe wait, xrefs: 0088EA91
status PlayMe mode, xrefs: 0088EA58
play PlayMe, xrefs: 0088EAA2
open , xrefs: 0088EA0C
alias PlayMe, xrefs: 0088EA36

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9c1ea19f47a590c9bb2d5c33a5b536b2abf105e7148baf341dad29f509ca399a
Instruction ID: 87b6400c7098e4ed4432296102782cdeddc44a6087a537869c9a3b2b06e8f4cf
Opcode Fuzzy Hash: 9c1ea19f47a590c9bb2d5c33a5b536b2abf105e7148baf341dad29f509ca399a
Instruction Fuzzy Hash: 9C116D61A5026979D724B7A6ED4ADFB6A7CFBA2F80F000429B811E21D1EA600A54C6B1

Function 00889F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0088A012
SetKeyboardState.USER32(?), ref: 0088A07D
GetAsyncKeyState.USER32(000000A0), ref: 0088A09D
GetKeyState.USER32(000000A0), ref: 0088A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0088A0E3
GetKeyState.USER32(000000A1), ref: 0088A0F4
GetAsyncKeyState.USER32(00000011), ref: 0088A120
GetKeyState.USER32(00000011), ref: 0088A12E
GetAsyncKeyState.USER32(00000012), ref: 0088A157
GetKeyState.USER32(00000012), ref: 0088A165
GetAsyncKeyState.USER32(0000005B), ref: 0088A18E
GetKeyState.USER32(0000005B), ref: 0088A19C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4d2cb6ee2d2b838f769e47e45954a1a58bee98f62d287e72ddfbd307d9953587
Instruction ID: da7f7e511fda92a2348d3e3a44ccfa840248bd0cbe462b87fea7cbb0a6c977aa
Opcode Fuzzy Hash: 4d2cb6ee2d2b838f769e47e45954a1a58bee98f62d287e72ddfbd307d9953587
Instruction Fuzzy Hash: 8851B62490478869FB39FB6488157AABFB4EF12380F08459AD5C2D61C3EA54AA4CC763

Function 00885CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00885CE2
GetWindowRect.USER32(00000000,?), ref: 00885CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00885D59
GetDlgItem.USER32(?,00000002), ref: 00885D69
GetWindowRect.USER32(00000000,?), ref: 00885D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00885DCF
GetDlgItem.USER32(?,000003E9), ref: 00885DDD
GetWindowRect.USER32(00000000,?), ref: 00885DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00885E31
GetDlgItem.USER32(?,000003EA), ref: 00885E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00885E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00885E67

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 24e3af680dcff2a49788863b2e859553d8aac73d2511782c0976d53ba6513862
Instruction ID: b6689d463180b4dd77c4ed20852612658544928e318f140f4c92780ed78d3b39
Opcode Fuzzy Hash: 24e3af680dcff2a49788863b2e859553d8aac73d2511782c0976d53ba6513862
Instruction Fuzzy Hash: BD510E71B00609AFDF18DF68DD89AAEBBB5FB58301F148229F915E7290D770AE04CB50

Function 00838BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00838F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00838BE8,?,00000000,?,?,?,?,00838BBA,00000000,?), ref: 00838FC5

DestroyWindow.USER32(?), ref: 00838C81
KillTimer.USER32(00000000,?,?,?,?,00838BBA,00000000,?), ref: 00838D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00876973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00838BBA,00000000,?), ref: 008769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00838BBA,00000000,?), ref: 008769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00838BBA,00000000), ref: 008769D4
DeleteObject.GDI32(00000000), ref: 008769E6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4a9360746dcb2be0e7786dc57d433f76385dc0466a1a7c7e7c1d944bb8a01499
Instruction ID: db1311eb16be37f0bbb048f20ce1dd35b6449a1a38c275966c3a57898a9e9bbd
Opcode Fuzzy Hash: 4a9360746dcb2be0e7786dc57d433f76385dc0466a1a7c7e7c1d944bb8a01499
Instruction Fuzzy Hash: 29618A30502B14DFCB259F29CA48B25BBF1FB90316F149528E086DBA64CB75E991CBE0

Function 00839838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00839944: GetWindowLongW.USER32(?,000000EB), ref: 00839952

GetSysColor.USER32(0000000F), ref: 00839862

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f84130315686f8de48a41e6d8dd747d986cce969a1c92b8c057628c3f6fc9c18
Instruction ID: d91b4e59a9ae4f94b961b525e85656a6be97455cbe685cb15a1e3e9f47441b3d
Opcode Fuzzy Hash: f84130315686f8de48a41e6d8dd747d986cce969a1c92b8c057628c3f6fc9c18
Instruction Fuzzy Hash: BD41AF31104644AFDB205F389C88BBA7BA5FB86330F144665F9E2D72E1C7B19841DB60

Function 008896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0086F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00889717
LoadStringW.USER32(00000000,?,0086F7F8,00000001), ref: 00889720

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0086F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00889742
LoadStringW.USER32(00000000,?,0086F7F8,00000001), ref: 00889745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00889866

Strings

Line %d (File "%s"):, xrefs: 0088978F
^ ERROR, xrefs: 008897FB
%s (%d) : ==> %s: %s %s, xrefs: 0088984A
Line %d:, xrefs: 008897A0
Error: , xrefs: 0088981D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: af28b8bb18e653bdd38ba9775c58e1ff3182cb169795f099cfa1c451d47b42a1
Instruction ID: 27ca311335daf38a88fd99df93452eac092f3e956312989e24696216ea959a2d
Opcode Fuzzy Hash: af28b8bb18e653bdd38ba9775c58e1ff3182cb169795f099cfa1c451d47b42a1
Instruction Fuzzy Hash: 84412E72800229AACB04FBE8ED56DEE7778FF55340F540465F605F2192EA356F88CB62

Function 008806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00880804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0088082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00880837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0088083C

Strings

\IPC$, xrefs: 00880784
\CLSID, xrefs: 00880724
SOFTWARE\Classes\, xrefs: 0088070E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ed55fb9b801395e4ed95e2c4f9199ae02969293c3dd91f5c2e48e85b919bff65
Instruction ID: c14cdd4d45098297e7707900f5f39c75a4f348dd6eda25dcefbb9b06556ebc01
Opcode Fuzzy Hash: ed55fb9b801395e4ed95e2c4f9199ae02969293c3dd91f5c2e48e85b919bff65
Instruction Fuzzy Hash: 4F41E972C10229ABDF15EBA4EC958EEB778FF04750F054129E911E7261EB349E48CFA1

Function 008B3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008B403B
CreateCompatibleDC.GDI32(00000000), ref: 008B4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008B4055
SelectObject.GDI32(00000000,00000000), ref: 008B405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 008B4068
DeleteDC.GDI32(00000000), ref: 008B4072
GetWindowLongW.USER32(?,000000EC), ref: 008B407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 008B4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 008B409E

Strings

static, xrefs: 008B3FD3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6f00fe545a88088d0387598a431af928355e85745983e2176f0bcd9f09879b68
Instruction ID: 87959aa1117bc13072c03e20b4d065a4d7843a977c308f2b1b16b7b5133a12fb
Opcode Fuzzy Hash: 6f00fe545a88088d0387598a431af928355e85745983e2176f0bcd9f09879b68
Instruction Fuzzy Hash: 57317C32101219ABDF219FA8CC09FEA3B68FF0D320F000311FA55E62A1C775D811DB64

Function 008A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A3C5C
CoInitialize.OLE32(00000000), ref: 008A3C8A
CoUninitialize.OLE32 ref: 008A3C94
_wcslen.LIBCMT ref: 008A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008A3F0E
CoGetObject.OLE32(?,00000000,008BFB98,?), ref: 008A3F2D
SetErrorMode.KERNEL32(00000000), ref: 008A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008A3FC4
VariantClear.OLEAUT32(?), ref: 008A3FD8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8cea0d588a957fbeda13759f18fc730b58e526b48c4050eba6a553385782d050
Instruction ID: 8ce546ed69e5be26db3f92780dbbcd6e9e47e534ef1ce8a1860e0a1f29a2c45e
Opcode Fuzzy Hash: 8cea0d588a957fbeda13759f18fc730b58e526b48c4050eba6a553385782d050
Instruction Fuzzy Hash: D7C115716082059FE700DF68C88492BBBE9FF8A748F14491DF98ADB611DB31EE45CB52

Function 00897A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00897AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00897B8F
SHGetDesktopFolder.SHELL32(?), ref: 00897BA3
CoCreateInstance.OLE32(008BFD08,00000000,00000001,008E6E6C,?), ref: 00897BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00897C74
CoTaskMemFree.OLE32(?,?), ref: 00897CCC
SHBrowseForFolderW.SHELL32(?), ref: 00897D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00897D7A
CoTaskMemFree.OLE32(00000000), ref: 00897D81
CoTaskMemFree.OLE32(00000000), ref: 00897DD6
CoUninitialize.OLE32 ref: 00897DDC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 8f288fbac1d6742ab65a9b328588c8aac61b193ca552ce95b084b48fdfea6fb6
Instruction ID: 51cc3658653ad329d809d060a01c51aca5d623d77b00513b4788330f1b1d125e
Opcode Fuzzy Hash: 8f288fbac1d6742ab65a9b328588c8aac61b193ca552ce95b084b48fdfea6fb6
Instruction Fuzzy Hash: A3C10A75A04119AFCB14DF64C884DAEBBB9FF48314B1485A9F81ADB361D730EE45CB90

Function 008B541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008B5515
CharNextW.USER32(00000158), ref: 008B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008B55AC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: ddbd65a8885ee3f92181f0ba6c1e000b557d6898743768a3e43f58999cc8dcea
Instruction ID: 98da07cdebeda7c45bf35f36cb96587d96b33fe60454a1ac9dc3eb2e3dd23fb0
Opcode Fuzzy Hash: ddbd65a8885ee3f92181f0ba6c1e000b557d6898743768a3e43f58999cc8dcea
Instruction Fuzzy Hash: FE617970900609AFDF209FA4DC84EFE7BB9FB0A725F104149F925EA391D7749A80DB61

Function 0087FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0087FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0087FB08
VariantInit.OLEAUT32(?), ref: 0087FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0087FB3A
VariantCopy.OLEAUT32(?,?), ref: 0087FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0087FBA1
VariantClear.OLEAUT32(?), ref: 0087FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0087FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0087FBCC
VariantClear.OLEAUT32(?), ref: 0087FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0087FBE9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d0a7ca3901d70c25fd1bb51a757139076d76dccf69a4941985d777dc7e92c319
Instruction ID: e38643a87d4e25dea4f86fc001e5f9958153b0dd861948283cbe903919786277
Opcode Fuzzy Hash: d0a7ca3901d70c25fd1bb51a757139076d76dccf69a4941985d777dc7e92c319
Instruction Fuzzy Hash: 01413E35A00219DFCF00DF69D8549AEBBB9FF48354F008569E959E7262CB30EA45CFA1

Function 00889C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00889CA1
GetAsyncKeyState.USER32(000000A0), ref: 00889D22
GetKeyState.USER32(000000A0), ref: 00889D3D
GetAsyncKeyState.USER32(000000A1), ref: 00889D57
GetKeyState.USER32(000000A1), ref: 00889D6C
GetAsyncKeyState.USER32(00000011), ref: 00889D84
GetKeyState.USER32(00000011), ref: 00889D96
GetAsyncKeyState.USER32(00000012), ref: 00889DAE
GetKeyState.USER32(00000012), ref: 00889DC0
GetAsyncKeyState.USER32(0000005B), ref: 00889DD8
GetKeyState.USER32(0000005B), ref: 00889DEA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 11ab7cc813602dc1eac46654e82268497ff20c5c42c1fa453859a87ded7dcac1
Instruction ID: 89ff279fa4f154daf1d3208ae910b8d0e95f816b3db2537bc9aba081bd07effc
Opcode Fuzzy Hash: 11ab7cc813602dc1eac46654e82268497ff20c5c42c1fa453859a87ded7dcac1
Instruction Fuzzy Hash: 2141A6346047C96DFF31A664C8043B5BEE1FF11344F0C815ADAC6965C2EBE599C8C7A6

Function 008A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008A05BC
inet_addr.WSOCK32(?), ref: 008A061C
gethostbyname.WSOCK32(?), ref: 008A0628
IcmpCreateFile.IPHLPAPI ref: 008A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008A07B9
WSACleanup.WSOCK32 ref: 008A07BF

Strings

Ping, xrefs: 008A0676

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a521cdda09482d7ca2380484b370d6d5d16c9dffa8eff0354ff6f035a865d113
Instruction ID: b466ee2ff8f22e0ad783c8daa6b737a6809e95fa466d66f608547093d466b8b8
Opcode Fuzzy Hash: a521cdda09482d7ca2380484b370d6d5d16c9dffa8eff0354ff6f035a865d113
Instruction Fuzzy Hash: 48917D355042019FE720CF19D489F1ABBE0FF45318F1485A9E46ADBAA2D731ED45CF92

Function 008A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008A8CF3

Part of subcall function 00888E54: _wcslen.LIBCMT ref: 00888E77

_wcslen.LIBCMT ref: 008A8D4E
_wcslen.LIBCMT ref: 008A8D9C
_wcslen.LIBCMT ref: 008A8DDC
_wcslen.LIBCMT ref: 008A8E6E

Strings

winapi, xrefs: 008A8D96, 008A8D9B
cdecl, xrefs: 008A8D48, 008A8D4D
none, xrefs: 008A8E65, 008A8E6A
stdcall, xrefs: 008A8DD6, 008A8DDB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d6e6235cbb8863f5a5a7d7dc22a1996af1be4e5ae1c37b6e505e66e6ea2c9717
Instruction ID: 9ef97223dd5c08dbb30c9bb230973be17462f5b3857d0c15dd9713158119ac1b
Opcode Fuzzy Hash: d6e6235cbb8863f5a5a7d7dc22a1996af1be4e5ae1c37b6e505e66e6ea2c9717
Instruction Fuzzy Hash: 2551B131A0051ADBDF14DF6CC8409BEB7A5FF66324B214229E826E7680EF30DD50C7A0

Function 008A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008A3774
CoUninitialize.OLE32 ref: 008A377F
CoCreateInstance.OLE32(?,00000000,00000017,008BFB78,?), ref: 008A37D9
IIDFromString.OLE32(?,?), ref: 008A384C
VariantInit.OLEAUT32(?), ref: 008A38E4
VariantClear.OLEAUT32(?), ref: 008A3936

Strings

NULL Pointer assignment, xrefs: 008A381E
Invalid parameter, xrefs: 008A3865
Failed to create object, xrefs: 008A37E4, 008A389A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 26d07d45eb5227c656dd18ca11124f16139332813518d7e3f8b24a8f7e300884
Instruction ID: ddc37e799ada962ba1b9208b6505fc9352ebad27ab72a25903ce650dee52eae4
Opcode Fuzzy Hash: 26d07d45eb5227c656dd18ca11124f16139332813518d7e3f8b24a8f7e300884
Instruction Fuzzy Hash: 7B61AE70608311AFE310DF54D888B6ABBE8FF4A714F100929F995DB691D774EE48CB92

Function 00893388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008933CF

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008933F0

Strings

^ ERROR , xrefs: 0089349E
Line %d (File "%s"):, xrefs: 00893443, 0089345C
Incorrect parameters to object property !, xrefs: 008934AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00893504
Error: , xrefs: 008934D1
"%s" (%d) : ==> %s:, xrefs: 00893522

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4beaf80d85a03e0a0876fef5e46747cf45a9a2183255cd88a22e8db9fc561a54
Instruction ID: ae1639c52858b400e0903d27dae5d99f9f89b8a43ec626c79798204a59e096c7
Opcode Fuzzy Hash: 4beaf80d85a03e0a0876fef5e46747cf45a9a2183255cd88a22e8db9fc561a54
Instruction Fuzzy Hash: 5B51AD71800219AACF15EBA4ED56EEEB778FF14340F144065F405F2292EB356F98CB62

Function 0088B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0088B5FC
_wcslen.LIBCMT ref: 0088B608
_wcslen.LIBCMT ref: 0088B64D
_wcslen.LIBCMT ref: 0088B68C
_wcslen.LIBCMT ref: 0088B6C7

Strings

EXISTS, xrefs: 0088B686, 0088B68B
REMOVE, xrefs: 0088B602, 0088B607
APPEND, xrefs: 0088B6C1, 0088B6C6
KEYS, xrefs: 0088B647, 0088B64C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 36d07ba0fadfe55471a08e49feda505e749fba881d129e2754591ff438958747
Instruction ID: e77ca66f3ea3337b470ba1afa2af0d3dbea893875b00d931ca1ab04e68dd2bfd
Opcode Fuzzy Hash: 36d07ba0fadfe55471a08e49feda505e749fba881d129e2754591ff438958747
Instruction Fuzzy Hash: BE419332A001279BCB20BE7D89905BE7BA5FFF17A4B254229E561D7284F731CD81C790

Function 00895393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00895416
GetLastError.KERNEL32 ref: 00895420
SetErrorMode.KERNEL32(00000000,READY), ref: 008954A7

Strings

INVALID, xrefs: 00895459
UNKNOWN, xrefs: 00895444
READY, xrefs: 00895460, 00895468
READONLY, xrefs: 00895452
NOTREADY, xrefs: 0089544B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 900f716dddb7cf12674022df5d54a4e110052d471d1671d4983abce7a75d3d43
Instruction ID: 1412118e9cd2e416e6a7782e503ccb386366362bb794d949c4406d87802d5827
Opcode Fuzzy Hash: 900f716dddb7cf12674022df5d54a4e110052d471d1671d4983abce7a75d3d43
Instruction Fuzzy Hash: FD31D4B5A006089FCB52EF69C884AAABBB4FF45305F188065F505DB292E731DD86CB91

Function 008B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008B3C79
SetMenu.USER32(?,00000000), ref: 008B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008B3D10
IsMenu.USER32(?), ref: 008B3D24
CreatePopupMenu.USER32 ref: 008B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008B3D5B
DrawMenuBar.USER32 ref: 008B3D63

Strings

F, xrefs: 008B3D4E
0, xrefs: 008B3C54

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: fa8b97bb578f6f5c0223b19f265bf3375f1230400307ea83f409c061426a297a
Instruction ID: 2aa073d1b16793bbb9b886fd88ec29bd27db1af38637f2c73be483fef9108070
Opcode Fuzzy Hash: fa8b97bb578f6f5c0223b19f265bf3375f1230400307ea83f409c061426a297a
Instruction Fuzzy Hash: 97413A75A01209EFDB24CF64D854EEA7BB5FF49350F180129F946E7360D771AA10CB94

Function 00881EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00881F64
GetDlgCtrlID.USER32 ref: 00881F6F
GetParent.USER32 ref: 00881F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00881F8E
GetDlgCtrlID.USER32(?), ref: 00881F97
GetParent.USER32(?), ref: 00881FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00881FAE

Strings

ListBox, xrefs: 00881F21
ComboBox, xrefs: 00881EEC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: bc5d6a5251fbd0aee392d9fa09ade44700210bbff7f096c094069e159964b8ce
Instruction ID: 84a52db7c15d2681a2099a650296ebfc1205b1752fb5894fd654ae0b82d7f0c5
Opcode Fuzzy Hash: bc5d6a5251fbd0aee392d9fa09ade44700210bbff7f096c094069e159964b8ce
Instruction Fuzzy Hash: 8821B074A00218BBCF04AFA4DC85DEEBBB8FF1A310F000219FA61A7291DB745905DB60

Function 00881FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00882043
GetDlgCtrlID.USER32 ref: 0088204E
GetParent.USER32 ref: 0088206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0088206D
GetDlgCtrlID.USER32(?), ref: 00882076
GetParent.USER32(?), ref: 0088208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0088208D

Strings

ListBox, xrefs: 00882002
ComboBox, xrefs: 00881FCD

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f513bd45325f4e7be3789f1da5c3610bffdf2818cffedcb1afc56b92717ca8f0
Instruction ID: 58d3662481572c3e8ef2002584e4bf9d838360303c9c8d7c34730ee38c84e8b1
Opcode Fuzzy Hash: f513bd45325f4e7be3789f1da5c3610bffdf2818cffedcb1afc56b92717ca8f0
Instruction Fuzzy Hash: 6B219FB5D00218BBCF10AFA4DC85EEEBBB8FF1A340F004116F991E72A1DA794955DB61

Function 008B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008B3C13

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f88f7599315452405055fec4c13e17a186312eeaebcec06bcf34c4ff881029a7
Instruction ID: 4436176f4ee81378005c51b72af9014a1bc8daaaab1df2d7cf740b062f856451
Opcode Fuzzy Hash: f88f7599315452405055fec4c13e17a186312eeaebcec06bcf34c4ff881029a7
Instruction Fuzzy Hash: 2E616875A00248AFDB11DFA8CC85EEE7BB8FB09714F100199FA15E73A1C770AA45DB60

Function 0088B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0088B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B165
GetWindowThreadProcessId.USER32(00000000), ref: 0088B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0088B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0088A1E1,?,00000001), ref: 0088B21D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2a9ee2ab1ef24417a2ab0242d503bf517ff2725f954bee43b35486a5f759e0b1
Instruction ID: ee1334af5a4d2abdfc237458df466b0c7c10682ad40eb8c0f97d21347c173583
Opcode Fuzzy Hash: 2a9ee2ab1ef24417a2ab0242d503bf517ff2725f954bee43b35486a5f759e0b1
Instruction Fuzzy Hash: E43168B5540604BFDB10AF64DC88FBE7BA9FBA1311F10411AFA05DA1A0DBB4AE40CF64

Function 00852C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00852C94

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 00852CA0
_free.LIBCMT ref: 00852CAB
_free.LIBCMT ref: 00852CB6
_free.LIBCMT ref: 00852CC1
_free.LIBCMT ref: 00852CCC
_free.LIBCMT ref: 00852CD7
_free.LIBCMT ref: 00852CE2
_free.LIBCMT ref: 00852CED
_free.LIBCMT ref: 00852CFB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f79551e3c01a5dd23cdf30e0b33eb3629f49d38d64ec70c9d60344b1565739e
Instruction ID: d14d0e2a5c9d1c065a4d243c3c0a8256df27e2bcf3a1b7c730fc85edf72aa1ec
Opcode Fuzzy Hash: 3f79551e3c01a5dd23cdf30e0b33eb3629f49d38d64ec70c9d60344b1565739e
Instruction Fuzzy Hash: E8119676100108AFCB02EF58D882DDD3FA5FF06351F5144A5FE48AB322DA31EE549B92

Function 00897DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00897FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00897FC1
GetFileAttributesW.KERNEL32(?), ref: 00897FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00898005
SetCurrentDirectoryW.KERNEL32(?), ref: 00898017
SetCurrentDirectoryW.KERNEL32(?), ref: 00898060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008980B0

Strings

*.*, xrefs: 00898066

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 378f8f0e85c211fdb5953a30d3f00cd9d712fa583768ae4400808fc95e1794b1
Instruction ID: a2da5bc438678d74c323d56b43e678a88befcb3d97a4ed49056c5b99e4ef419a
Opcode Fuzzy Hash: 378f8f0e85c211fdb5953a30d3f00cd9d712fa583768ae4400808fc95e1794b1
Instruction Fuzzy Hash: F081AF725182459BCF20FF18C8449AEB3E8FF89714F58486EF885D7250EB34DD498B92

Function 00825BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00825C7A

Part of subcall function 00825D0A: GetClientRect.USER32(?,?), ref: 00825D30
Part of subcall function 00825D0A: GetWindowRect.USER32(?,?), ref: 00825D71
Part of subcall function 00825D0A: ScreenToClient.USER32(?,?), ref: 00825D99

GetDC.USER32 ref: 008646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00864708
SelectObject.GDI32(00000000,00000000), ref: 00864716
SelectObject.GDI32(00000000,00000000), ref: 0086472B
ReleaseDC.USER32(?,00000000), ref: 00864733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008647C4

Strings

U, xrefs: 00864693

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 86a4ad31ab4b232605b9e40d9506c84b0c49d2ba48b087dc7cd7c83f44cf3bf9
Instruction ID: 7a1ead3a28412cbd19007a1494b84362b50f58dbc7731fd958ea551b1c2c6a17
Opcode Fuzzy Hash: 86a4ad31ab4b232605b9e40d9506c84b0c49d2ba48b087dc7cd7c83f44cf3bf9
Instruction Fuzzy Hash: 9871FF30500209DFCF218F68C984ABE3BB6FF5A364F255269ED51DA2A6D7309881DF60

Function 0089359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008935E4

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

LoadStringW.USER32(008F2390,?,00000FFF,?), ref: 0089360A

Strings

Line %d (File "%s"):, xrefs: 0089366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00893724
^ ERROR, xrefs: 008936C9
Error: , xrefs: 008936EF
"%s" (%d) : ==> %s:, xrefs: 00893742

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 675af93ef90a2aa70a525de9a2564a0c537de344180c8e1c8951ff4ffe8f4f5b
Instruction ID: 0af09cfe069d2e2c79d40a9415b25c9d4d83116fe5bc45b2ed9d7cb3681a13ad
Opcode Fuzzy Hash: 675af93ef90a2aa70a525de9a2564a0c537de344180c8e1c8951ff4ffe8f4f5b
Instruction Fuzzy Hash: D3516E71800219BBCF15EBA4EC56EEEBB78FF14344F184125F515B2192EB341B98DB62

Function 008B8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

Part of subcall function 0083912D: GetCursorPos.USER32(?), ref: 00839141
Part of subcall function 0083912D: ScreenToClient.USER32(00000000,?), ref: 0083915E
Part of subcall function 0083912D: GetAsyncKeyState.USER32(00000001), ref: 00839183
Part of subcall function 0083912D: GetAsyncKeyState.USER32(00000002), ref: 0083919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008B8B6B
ImageList_EndDrag.COMCTL32 ref: 008B8B71
ReleaseCapture.USER32 ref: 008B8B77
SetWindowTextW.USER32(?,00000000), ref: 008B8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008B8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008B8CFF

Strings

@GUI_DRAGFILE, xrefs: 008B8C9A
@GUI_DROPID, xrefs: 008B8C51

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 2b26743dda5b4309f935354b93d38edc411a591327cfd9bc6ce73262d7a7ab8a
Instruction ID: cea7905f47565af1bf3bb38af934546835d8e6a2f4f1605b4e78a61dbb2c5db8
Opcode Fuzzy Hash: 2b26743dda5b4309f935354b93d38edc411a591327cfd9bc6ce73262d7a7ab8a
Instruction Fuzzy Hash: 1E517F71204314AFD704DF24DC6AFAA7BE4FB88714F40062DF996972E1DB71A944CBA2

Function 0089C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0089C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0089C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0089C2CA
GetLastError.KERNEL32 ref: 0089C322
SetEvent.KERNEL32(?), ref: 0089C336
InternetCloseHandle.WININET(00000000), ref: 0089C341

Strings

, xrefs: 0089C2BB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 437eba82058aa035e6bfd271c601abc2f9a400665adb954575c43ab39e06b5ba
Instruction ID: 89e54ea509f86908362b55809aea415706d1f14c7afd1d476531c800645e7fcc
Opcode Fuzzy Hash: 437eba82058aa035e6bfd271c601abc2f9a400665adb954575c43ab39e06b5ba
Instruction Fuzzy Hash: FE3150B1600608AFDB21AFA9CC88AAB7BFCFB49744F18851DF446D2201DB76DD049B65

Function 0088989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00863AAF,?,?,Bad directive syntax error,008BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008898BC
LoadStringW.USER32(00000000,?,00863AAF,?), ref: 008898C3

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00889987

Strings

Line %d (File "%s"):, xrefs: 0088992D
%s (%d) : ==> %s.: %s %s, xrefs: 008898F1
., xrefs: 0088996D
Error: , xrefs: 00889955
Line %d:, xrefs: 00889912

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 04275180b277853f4684cdcf086fa8c423ec0dfd74a76ed640d975ff4415c456
Instruction ID: 4644bc344b95123e1bc8bc537a46e1a8804c0c76625fbadd0740236b33666db2
Opcode Fuzzy Hash: 04275180b277853f4684cdcf086fa8c423ec0dfd74a76ed640d975ff4415c456
Instruction Fuzzy Hash: 4E217131C0021EABCF11EF94DC1AEEE7735FF28304F084465F515A11A2EB759668DB51

Function 0088209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0088214D

Strings

SHELLDLL_DefView, xrefs: 008820CC
largeicons, xrefs: 008820E1
details, xrefs: 008820FB
smallicons, xrefs: 00882115
list, xrefs: 0088212F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b1fdee6edc94dd6db365a18e57936d5b476ee107c3b95d51f1d710ef09cb539a
Instruction ID: 4ee54d269e40ffa024e5d53ae7aebfb645f71114dd20ab85c3131fa191fa0fd4
Opcode Fuzzy Hash: b1fdee6edc94dd6db365a18e57936d5b476ee107c3b95d51f1d710ef09cb539a
Instruction Fuzzy Hash: 0B11067A6C871ABAF6017225DC0ADAA379CFB16728B30111AFB04E51D2FFA578015715

Function 00858D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef4e3a1bdf094090785d530d49083a89059dcb25d836d53b6c991692f6cf8ce
Instruction ID: 776a72030e09a89c87e5e0c5806f366296d90cbbcde5a4bff66537f8dd558344
Opcode Fuzzy Hash: eef4e3a1bdf094090785d530d49083a89059dcb25d836d53b6c991692f6cf8ce
Instruction Fuzzy Hash: 2FC1DC74A04249EFCF119FA8C845BADBBB4FF09312F08419AE955E73D2CB709949CB61

Function 0085CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0085CEB7
_free.LIBCMT ref: 0085CF22
_free.LIBCMT ref: 0085CF48
_free.LIBCMT ref: 0085CF71
_free.LIBCMT ref: 0085CFA9
_free.LIBCMT ref: 0085CFDA
_free.LIBCMT ref: 0085D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0085D09C
_free.LIBCMT ref: 0085D0B5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e8e291a8ee0d3a01576a1e041ba3322ad7335171c044c10987a1b0e4d726cc2f
Instruction ID: 165a1e7f1143eb2ab4162758e3b5c6a5fc1e0f0fa182b8ad192cfa09ae53a4d9
Opcode Fuzzy Hash: e8e291a8ee0d3a01576a1e041ba3322ad7335171c044c10987a1b0e4d726cc2f
Instruction Fuzzy Hash: 4B611371904314AFDF21AFB8D881A6E7BA5FF06362F14426DFD40E7282DA719D09CB91

Function 00838B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00876890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00838874,00000000,00000000,00000000,000000FF,00000000), ref: 00876901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0087691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00838874,00000000,00000000,00000000,000000FF,00000000), ref: 0087692D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 193eca67935a8b69f70a0747b40042fb88d9c467873645d72c1764d40fe6b45b
Instruction ID: ed03dcfcf12da8492f771065f8ba2f13b01889f77b98cf08d6de5caf91ec39ce
Opcode Fuzzy Hash: 193eca67935a8b69f70a0747b40042fb88d9c467873645d72c1764d40fe6b45b
Instruction Fuzzy Hash: 5E515A7060070AEFDB20CF24CC55FAABBA5FB98760F104528F956D62A0EB70E950DB90

Function 0089C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0089C182
GetLastError.KERNEL32 ref: 0089C195
SetEvent.KERNEL32(?), ref: 0089C1A9

Part of subcall function 0089C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0089C272
Part of subcall function 0089C253: GetLastError.KERNEL32 ref: 0089C322
Part of subcall function 0089C253: SetEvent.KERNEL32(?), ref: 0089C336
Part of subcall function 0089C253: InternetCloseHandle.WININET(00000000), ref: 0089C341

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f4b9727a19814b60f4552d4e6f7fb51626455c398e5f084903c493b306ecb8a5
Instruction ID: de5cce2f238491a67df9d323f7320bf0e4c9d24c169d6d9628590a529e1d5e32
Opcode Fuzzy Hash: f4b9727a19814b60f4552d4e6f7fb51626455c398e5f084903c493b306ecb8a5
Instruction Fuzzy Hash: 28316A71600605AFDF21AFE9DC44A66BBF9FF58300B18452DF956C6610DB32E8149BA0

Function 008825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00883A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00883A57
Part of subcall function 00883A3D: GetCurrentThreadId.KERNEL32 ref: 00883A5E
Part of subcall function 00883A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008825B3), ref: 00883A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00882601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00882605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0088260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00882623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00882627

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 32330a04de0a82f4be395286297a9213e4e15115c8304a829d84876cc35a41e0
Instruction ID: 0a41275322fe59fdcce52572f0d078e2646117341cb4c567ddcc80125dcbec5e
Opcode Fuzzy Hash: 32330a04de0a82f4be395286297a9213e4e15115c8304a829d84876cc35a41e0
Instruction Fuzzy Hash: E801B170290624BBFB1067689C8AF593F59EB5EB12F100106F358EE0D1C9E224448A6A

Function 00881803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00881449,?,?,00000000), ref: 0088180C
HeapAlloc.KERNEL32(00000000,?,00881449,?,?,00000000), ref: 00881813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00881449,?,?,00000000), ref: 00881828
GetCurrentProcess.KERNEL32(?,00000000,?,00881449,?,?,00000000), ref: 00881830
DuplicateHandle.KERNEL32(00000000,?,00881449,?,?,00000000), ref: 00881833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00881449,?,?,00000000), ref: 00881843
GetCurrentProcess.KERNEL32(00881449,00000000,?,00881449,?,?,00000000), ref: 0088184B
DuplicateHandle.KERNEL32(00000000,?,00881449,?,?,00000000), ref: 0088184E
CreateThread.KERNEL32(00000000,00000000,00881874,00000000,00000000,00000000), ref: 00881868

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 057d1b65812cd165a7b23f59c3435481dbc956c4e42663a44e11c792847b64c1
Instruction ID: 94dfd0748f12548d0593dcbc126ad9e55d041cad46c2352a116075fd6ac7a052
Opcode Fuzzy Hash: 057d1b65812cd165a7b23f59c3435481dbc956c4e42663a44e11c792847b64c1
Instruction Fuzzy Hash: 4A016FB5640344BFE710AFA5DC4DF577BACFB89B11F414521FA05EB291DA759800CB60

Function 008AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0088D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0088D501
Part of subcall function 0088D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0088D50F
Part of subcall function 0088D4DC: CloseHandle.KERNELBASE(00000000), ref: 0088D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008AA16D
GetLastError.KERNEL32 ref: 008AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008AA268
GetLastError.KERNEL32(00000000), ref: 008AA273
CloseHandle.KERNEL32(00000000), ref: 008AA2C4

Strings

SeDebugPrivilege, xrefs: 008AA18F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c971f2b653a9c07a39ef35db918742ff0554ead4d92168aab5164c060af7a6c5
Instruction ID: 11f830b0fe61f371a2afbbf36ee1140e95b13b0e06e67c22260ea86e623e07c1
Opcode Fuzzy Hash: c971f2b653a9c07a39ef35db918742ff0554ead4d92168aab5164c060af7a6c5
Instruction Fuzzy Hash: 12616E30204242AFE714DF18C494F2ABBE5FF45318F14849CE4668BBA2C776EC85CB92

Function 008B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008B3954
_wcslen.LIBCMT ref: 008B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008B39F4

Strings

SysListView32, xrefs: 008B38F7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 44eec8023455b662ad9956eaee52cec2862d83a15d1af05005e69f8d809ecd08
Instruction ID: a69b4594eb7fbbf172e2897dad2ad8cc748212ffc671da8150cee0626743ca0a
Opcode Fuzzy Hash: 44eec8023455b662ad9956eaee52cec2862d83a15d1af05005e69f8d809ecd08
Instruction Fuzzy Hash: AC41B471A00218ABEF219F64CC49FEA7BA9FF19354F10052AF958E7391D7B19D80CB90

Function 0088BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0088BCFD
IsMenu.USER32(00000000), ref: 0088BD1D
CreatePopupMenu.USER32 ref: 0088BD53
GetMenuItemCount.USER32(00D256F0), ref: 0088BDA4
InsertMenuItemW.USER32(00D256F0,?,00000001,00000030), ref: 0088BDCC

Strings

0, xrefs: 0088BCA8
2, xrefs: 0088BD37

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2bce46c12a522bde595f1fa0005999fe387560c36fea9ae3261394ae87880302
Instruction ID: 00805d4080e814d709776a1ffb31b378674873aae7a8f2bcf50f400a3e6aee29
Opcode Fuzzy Hash: 2bce46c12a522bde595f1fa0005999fe387560c36fea9ae3261394ae87880302
Instruction Fuzzy Hash: B451B070A00209EBDF20EFA8D884BAEBBF4FF85314F144219E451D72A1D7709D45CB61

Function 0088C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0088C913

Strings

blank, xrefs: 0088C895
info, xrefs: 0088C8B4
stop, xrefs: 0088C8E4
warning, xrefs: 0088C8FC
question, xrefs: 0088C8CC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9c4caba27f6e18d7bf6217517af892468035d21de95da7cc4be2c02b62d4a4cf
Instruction ID: 1efdcc37d6aca7b6c3fd97cea52776be5c436ded0eb9403f3f79af7d31c06249
Opcode Fuzzy Hash: 9c4caba27f6e18d7bf6217517af892468035d21de95da7cc4be2c02b62d4a4cf
Instruction Fuzzy Hash: 0A110D3168970BBAE701BB659C83DAA6B9CFF15368B20017BF500E6382F7745E405379

Function 0088DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0088DE42
gethostname.WSOCK32(?,00000100), ref: 0088DE5C
gethostbyname.WSOCK32(?), ref: 0088DE69
inet_ntoa.WSOCK32(?), ref: 0088DEAB
_strcat.LIBCMT ref: 0088DEB9
WSACleanup.WSOCK32 ref: 0088DEDE

Strings

0.0.0.0, xrefs: 0088DE87

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5989caceed34212bf1e6d6566e6c3068b9c704ece6fc0adbbd14ac594e7860d2
Instruction ID: 48faa98016d895dc723011f064671b498d5fc6575121ff90a708c34e0eb54a3d
Opcode Fuzzy Hash: 5989caceed34212bf1e6d6566e6c3068b9c704ece6fc0adbbd14ac594e7860d2
Instruction Fuzzy Hash: 24110A71904218ABCB207B68DC4AEDF7B6CFF11711F0001B9F545DA0D1EF709A818B61

Function 008B9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

GetSystemMetrics.USER32(0000000F), ref: 008B9FC7
GetSystemMetrics.USER32(0000000F), ref: 008B9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008BA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008BA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008BA263
ShowWindow.USER32(00000003,00000000), ref: 008BA282
InvalidateRect.USER32(?,00000000,00000001), ref: 008BA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 008BA2CA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: de4b6aae1bec72411ad5b5649df9b25b21b0aef7eb49613a582ddc13045e0670
Instruction ID: fbde1367effc5b35532a366bc903f344c0a3aa59642379d07e7f2215c8b67f6b
Opcode Fuzzy Hash: de4b6aae1bec72411ad5b5649df9b25b21b0aef7eb49613a582ddc13045e0670
Instruction Fuzzy Hash: F0B15831600219DBDF18CF68C985BEA7BB2FF44711F088169ED85DB395DB71A940CB61

Function 0088ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0088ED2A
_wcslen.LIBCMT ref: 0088ED3B
_wcslen.LIBCMT ref: 0088ED79
_wcslen.LIBCMT ref: 0088EDAF
_wcslen.LIBCMT ref: 0088EDDF
_wcslen.LIBCMT ref: 0088EDEF
_wcslen.LIBCMT ref: 0088EE2B
_wcslen.LIBCMT ref: 0088EE5A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1085ce8f5f63c57eb63599e9a0cd34b7f6618b3425e5a1feb98097f35c750ee0
Instruction ID: eeb313571f986f4b89af632027853d8e0eab49d6e3109b0a4d6d71af16e6d0d5
Opcode Fuzzy Hash: 1085ce8f5f63c57eb63599e9a0cd34b7f6618b3425e5a1feb98097f35c750ee0
Instruction Fuzzy Hash: 82414E65C1022C76CB11FBF8888AACFBBA8FF45710F508566E518E3121FB74E655C3A6

Function 0083F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0087682C,00000004,00000000,00000000), ref: 0083F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0087682C,00000004,00000000,00000000), ref: 0087F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0087682C,00000004,00000000,00000000), ref: 0087F454

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e3887ba696f60cca2a3116e7c7afe295d8cd59e004824e4f8e1d1ab9a4032687
Instruction ID: 0cbce81d641118e7a4dda32a9149629e52d17cad58cf38e5e5b9d4ed13f0bfed
Opcode Fuzzy Hash: e3887ba696f60cca2a3116e7c7afe295d8cd59e004824e4f8e1d1ab9a4032687
Instruction Fuzzy Hash: 5441B631A08640BAC7359B2DC88876A7F91FBD6324F14853CEA4BD6667C675E880CBD1

Function 008B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008B2D1B
GetDC.USER32(00000000), ref: 008B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008B2DE1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: bee11937f5ba09380e997c70bdfd59585e4f2c64e2da510cd3fd6b2057bababc
Instruction ID: be6ae0ca4f2e3a7de4194d9358538fe52566bb12b5bd6f6fa20e89d02f0ecae4
Opcode Fuzzy Hash: bee11937f5ba09380e997c70bdfd59585e4f2c64e2da510cd3fd6b2057bababc
Instruction Fuzzy Hash: 50318972201214BBEB218F54CC8AFEB3BA9FF4A711F084155FE08DA291C6B59C51CBA4

Function 00885622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00885637
_memcmp.LIBVCRUNTIME ref: 00885659
_memcmp.LIBVCRUNTIME ref: 00885671
_memcmp.LIBVCRUNTIME ref: 00885684
_memcmp.LIBVCRUNTIME ref: 0088569E
_memcmp.LIBVCRUNTIME ref: 008856B1
_memcmp.LIBVCRUNTIME ref: 008856C9
_memcmp.LIBVCRUNTIME ref: 008856E4

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4425f360d03fda970a96b0eac293d0c351f8e49cd00cca68aa068b306daeba35
Instruction ID: 5ea651fa243032cb0ae5a189c071d4b179f37e20e03f3d459108cbdcb5dfe18c
Opcode Fuzzy Hash: 4425f360d03fda970a96b0eac293d0c351f8e49cd00cca68aa068b306daeba35
Instruction Fuzzy Hash: C7219571690A1D77D614B924CD92FFA235CFF30398B444020FE15DA782F729ED5187A6

Function 008A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 008A5007
NULL Pointer assignment, xrefs: 008A502E, 008A5383

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5bcb04dcc0fa8354e8e8509c6a6ddad6a960f70494940614dbeb10f012b371b1
Instruction ID: c86ea6d0cb829377cc85fe50f434a0aac96a2ff265dd4df9757fce70efed1609
Opcode Fuzzy Hash: 5bcb04dcc0fa8354e8e8509c6a6ddad6a960f70494940614dbeb10f012b371b1
Instruction Fuzzy Hash: C8D1A171A0060AAFEF10CFA8C881BAEB7B5FF49344F148469E915EB681E771DD85CB50

Function 00861522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008615CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00861651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008617FB,?,008617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008616E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008616FB

Part of subcall function 00853820: RtlAllocateHeap.NTDLL(00000000,?,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6,?,00821129), ref: 00853852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00861777
__freea.LIBCMT ref: 008617A2
__freea.LIBCMT ref: 008617AE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7c5b495a1f56e346b217af44ebb26baa539c9502a9632100957a70a27d4a4c00
Instruction ID: 03ca15f8ca943e454cce71cd650c5e4f29d92c4ec625c389ab634164de7c98c0
Opcode Fuzzy Hash: 7c5b495a1f56e346b217af44ebb26baa539c9502a9632100957a70a27d4a4c00
Instruction Fuzzy Hash: 3F91D471E0021A9ADF208E74CC89AEEBBB5FF49314F1E4659E902E7152DB35CD44CBA1

Function 008A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A4648
VariantInit.OLEAUT32(?), ref: 008A4749
VariantClear.OLEAUT32(?), ref: 008A4753
VariantClear.OLEAUT32(?), ref: 008A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008A472C
Null Object assignment in FOR..IN loop, xrefs: 008A45D8, 008A4706, 008A47BE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 18a08960453518a2edacbe27d822f089a8f519777a030d14ef338a182cd6b063
Instruction ID: a704e46b348eed5808d7035ce61e38ace37eb8947223f02b11e5ba71d9849007
Opcode Fuzzy Hash: 18a08960453518a2edacbe27d822f089a8f519777a030d14ef338a182cd6b063
Instruction Fuzzy Hash: CC91AF71A00219ABEF20CFA5C844FAEBBB8FF86714F108559F515EB281D7B09945CFA0

Function 00891187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0089125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00891284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0089135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00891430

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b5c861164054d9fe44a3d7c6a25424f76bdc032c3eec08f993d2f505204e771a
Instruction ID: 36608cc0cb89e31c96921e25022f741c527299c550a7c5bd3a02f06e9a48b499
Opcode Fuzzy Hash: b5c861164054d9fe44a3d7c6a25424f76bdc032c3eec08f993d2f505204e771a
Instruction Fuzzy Hash: FF91E475A0421AAFDF00EF98C889BBEB7B5FF44315F184429E900EB291D774A941CB95

Function 0083948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a1188e2551bb6682262e81a8b0f09c0ee74751b066fb9e934d8dc6c09c0d8a5a
Instruction ID: 0c5b36295960ccf9bf6bb49202d7a8e6f84be85412f529ae4cd8433c9aa65f6e
Opcode Fuzzy Hash: a1188e2551bb6682262e81a8b0f09c0ee74751b066fb9e934d8dc6c09c0d8a5a
Instruction Fuzzy Hash: 04911571D00219EFCB11CFA9C884AEEBBB8FF89320F148559E555F7251D774A982CBA0

Function 008A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A396B
CharUpperBuffW.USER32(?,?), ref: 008A3A7A
_wcslen.LIBCMT ref: 008A3A8A
VariantClear.OLEAUT32(?), ref: 008A3C1F

Part of subcall function 00890CDF: VariantInit.OLEAUT32(00000000), ref: 00890D1F
Part of subcall function 00890CDF: VariantCopy.OLEAUT32(?,?), ref: 00890D28
Part of subcall function 00890CDF: VariantClear.OLEAUT32(?), ref: 00890D34

Strings

AUTOIT.ERROR, xrefs: 008A3A80, 008A3A85
Incorrect Parameter format, xrefs: 008A39A6, 008A3BA1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 102cff6aaa65ec5158ecc53faf56e3869968775748eb3eab8409105cc9820b64
Instruction ID: 51f24235abbbaf5516c9b082918c7b9fd6606cc8fe7d41bdb1ce7a7be1672d74
Opcode Fuzzy Hash: 102cff6aaa65ec5158ecc53faf56e3869968775748eb3eab8409105cc9820b64
Instruction Fuzzy Hash: 059124756083159FD704EF28C48096AB7E5FF8A314F14892DF889DB351DB31EA46CB92

Function 008A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0088000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?,?,0088035E), ref: 0088002B
Part of subcall function 0088000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?), ref: 00880046
Part of subcall function 0088000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?), ref: 00880054
Part of subcall function 0088000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?), ref: 00880064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008A4C51
_wcslen.LIBCMT ref: 008A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008A4DCF
CoTaskMemFree.OLE32(?), ref: 008A4DDA

Strings

NULL Pointer assignment, xrefs: 008A4E23, 008A4E52

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 51eba62ff0e10ada73f97e2c39d9511fa12e5fa4b36766cf48ac8ec612963507
Instruction ID: 9c72d846e59dd2812650e5d88f29044bd65cab5172ed5d2a99e0609476abbad5
Opcode Fuzzy Hash: 51eba62ff0e10ada73f97e2c39d9511fa12e5fa4b36766cf48ac8ec612963507
Instruction Fuzzy Hash: 0F912671D0022DAFEF14DFA8D880AEEBBB8FF49314F104169E915E7251EB709A548F61

Function 008B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008B2183
GetMenuItemCount.USER32(00000000), ref: 008B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008B21DD
_wcslen.LIBCMT ref: 008B2213
GetMenuItemID.USER32(?,?), ref: 008B224D
GetSubMenu.USER32(?,?), ref: 008B225B

Part of subcall function 00883A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00883A57
Part of subcall function 00883A3D: GetCurrentThreadId.KERNEL32 ref: 00883A5E
Part of subcall function 00883A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008825B3), ref: 00883A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008B22E3

Part of subcall function 0088E97B: Sleep.KERNEL32 ref: 0088E9F3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 166249c77e0b0a39c56a682c1cfc25b0c29e30832a0db6a93fc6faac19d66a2f
Instruction ID: 25058599fe848f8c97c548e6902013c6a919dfe090c62574e19af6fd0a5285b3
Opcode Fuzzy Hash: 166249c77e0b0a39c56a682c1cfc25b0c29e30832a0db6a93fc6faac19d66a2f
Instruction Fuzzy Hash: 59716D75A00215AFCB10EF68C885AEEBBF5FF88310F148459E916EB351DB34EE418B91

Function 008B7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D25768), ref: 008B7F37
IsWindowEnabled.USER32(00D25768), ref: 008B7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 008B801E
SendMessageW.USER32(00D25768,000000B0,?,?), ref: 008B8051
IsDlgButtonChecked.USER32(?,?), ref: 008B8089
GetWindowLongW.USER32(00D25768,000000EC), ref: 008B80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008B80C3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 07018c1d7c361b1cd2d10fc84943fb0929171775edf787f53a208428218f4c2c
Instruction ID: e9e2597cc7cc9743371f0b46e2dd14044e87bfec815eb8d07cb840d8a7b33469
Opcode Fuzzy Hash: 07018c1d7c361b1cd2d10fc84943fb0929171775edf787f53a208428218f4c2c
Instruction Fuzzy Hash: 51718834A09604EFEB20AF64C884FFABBB9FF99340F140459E955D73A1CB31A845CB24

Function 0088AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0088AEF9
GetKeyboardState.USER32(?), ref: 0088AF0E
SetKeyboardState.USER32(?), ref: 0088AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0088AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0088AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0088AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0088B020

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e89020897a81ec8bf8e4239da43ba6ac5c884f43d32a8901692559821d5e6d13
Instruction ID: 2e0a1f8b7ef2f1a6c7b0102e40210fe50c8a61140bf01fd11fe16c7f19dda707
Opcode Fuzzy Hash: e89020897a81ec8bf8e4239da43ba6ac5c884f43d32a8901692559821d5e6d13
Instruction Fuzzy Hash: BB5115A06047D53DFB3A62348C45BBABFE9BB46304F08858AE2E5D54C2D7D8ACC4D752

Function 0088ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0088AD19
GetKeyboardState.USER32(?), ref: 0088AD2E
SetKeyboardState.USER32(?), ref: 0088AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0088ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0088ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0088AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0088AE38

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3eb1507b96529414c1399e24c91211e34d6a62a4e9294eb3570fefbb36c8d55e
Instruction ID: 05b07c37cfd2792d5a844b7eab6cc3c01a9ebe780868c96b9832421599bbf0d9
Opcode Fuzzy Hash: 3eb1507b96529414c1399e24c91211e34d6a62a4e9294eb3570fefbb36c8d55e
Instruction Fuzzy Hash: 5A51E6A15047D53DFB3AA3348C95B7ABF98FB46301F08898AE1D5D68C2D394EC84D752

Function 0085542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00863CD6,?,?,?,?,?,?,?,?,00855BA3,?,?,00863CD6,?,?), ref: 00855470
__fassign.LIBCMT ref: 008554EB
__fassign.LIBCMT ref: 00855506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00863CD6,00000005,00000000,00000000), ref: 0085552C
WriteFile.KERNEL32(?,00863CD6,00000000,00855BA3,00000000,?,?,?,?,?,?,?,?,?,00855BA3,?), ref: 0085554B
WriteFile.KERNEL32(?,?,00000001,00855BA3,00000000,?,?,?,?,?,?,?,?,?,00855BA3,?), ref: 00855584

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ea3281cf7358ddd138d81f1395427732208d9266b1c19570595f570d55d95759
Instruction ID: 6ca298bd5d533463a27fc54649d777e122820c1d4112117a16d5abd02b7f5449
Opcode Fuzzy Hash: ea3281cf7358ddd138d81f1395427732208d9266b1c19570595f570d55d95759
Instruction Fuzzy Hash: 9551C5B1A006499FDB10CFA8D855AEEBBF9FF09301F14412AF955E7291E7309A45CF60

Function 00842D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00842D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00842D53
_ValidateLocalCookies.LIBCMT ref: 00842DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00842E0C
_ValidateLocalCookies.LIBCMT ref: 00842E61

Strings

csm, xrefs: 00842DF6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 30c5373af0678623f616a653d2feb8cbbce01898867aa540199022d884b434e3
Instruction ID: 05013e509d2958f451040edd51935e417c7f14c5d0034a411409ae6c3dedea75
Opcode Fuzzy Hash: 30c5373af0678623f616a653d2feb8cbbce01898867aa540199022d884b434e3
Instruction Fuzzy Hash: C7418A34E0420DABCF10DF68C885A9EBBB5FF45328F548165F815EB292D735AA11CB91

Function 008A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008A307A
Part of subcall function 008A304E: _wcslen.LIBCMT ref: 008A309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008A1112
WSAGetLastError.WSOCK32 ref: 008A1121
WSAGetLastError.WSOCK32 ref: 008A11C9
closesocket.WSOCK32(00000000), ref: 008A11F9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0b5d15a7776c213845675fe75c8d452615994a076fd4f084461ff678cf79872f
Instruction ID: c5ce30d9de5b9801f96d61eafe8397f0ff79545ff9c4a1d471be27ba06b6f278
Opcode Fuzzy Hash: 0b5d15a7776c213845675fe75c8d452615994a076fd4f084461ff678cf79872f
Instruction Fuzzy Hash: 2541F431600214AFEB109F18D888BA9B7E9FF46364F148159F915DB291DB70ED81CBE1

Function 0088CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0088DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0088CF22,?), ref: 0088DDFD

Part of subcall function 0088DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0088CF22,?), ref: 0088DE16

lstrcmpiW.KERNEL32(?,?), ref: 0088CF45
MoveFileW.KERNEL32(?,?), ref: 0088CF7F
_wcslen.LIBCMT ref: 0088D005
_wcslen.LIBCMT ref: 0088D01B
SHFileOperationW.SHELL32(?), ref: 0088D061

Strings

\*.*, xrefs: 0088CFF3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c6763dade7d98b44bde55f6b9143ac37c9cbe684d78a95642374dcaee6c787f8
Instruction ID: da139ad8e5060606e5f1f321bda636de6c407ace08420bc44674ed64473e7382
Opcode Fuzzy Hash: c6763dade7d98b44bde55f6b9143ac37c9cbe684d78a95642374dcaee6c787f8
Instruction Fuzzy Hash: CB4101719452185FDF12FBA4D981ADEB7B9FF08380F1000A6E645EB142EF74AA89CB51

Function 008B2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 008B2E1C
GetWindowLongW.USER32(?,000000F0), ref: 008B2E4F
GetWindowLongW.USER32(?,000000F0), ref: 008B2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 008B2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 008B2EE0
GetWindowLongW.USER32(?,000000F0), ref: 008B2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008B2F0B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a3f2e10f38327cddfa2483adeee65ec5c2c8c2749db15cc9354e0771dd7f5a53
Instruction ID: e9dd54a426e370712ccbe31904e69219aaa557ea5d14cbc51ce81aaf75feb9eb
Opcode Fuzzy Hash: a3f2e10f38327cddfa2483adeee65ec5c2c8c2749db15cc9354e0771dd7f5a53
Instruction Fuzzy Hash: 0B31F030644254AFEB61CF69DC88FA53BA5FBAA710F1501A4F901CB2B2CBB1E840DB51

Function 00887726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00887769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0088778F
SysAllocString.OLEAUT32(00000000), ref: 00887792
SysAllocString.OLEAUT32(?), ref: 008877B0
SysFreeString.OLEAUT32(?), ref: 008877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008877DE
SysAllocString.OLEAUT32(?), ref: 008877EC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 23de54c19e9847dfdb3007998024240c2310ab1c847d9f1bac8d401d266d2c4b
Instruction ID: 9e5ff33bb5dd7b1c98c0b94047b87e22ecc9d2a4904841589ed1c0762110a4c5
Opcode Fuzzy Hash: 23de54c19e9847dfdb3007998024240c2310ab1c847d9f1bac8d401d266d2c4b
Instruction Fuzzy Hash: 3D219C76608219AFDB10BFA8CC88CBA73ACFF09764B148125BA14DB251D670DD41C7A4

Function 008877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00887842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00887868
SysAllocString.OLEAUT32(00000000), ref: 0088786B
SysAllocString.OLEAUT32 ref: 0088788C
SysFreeString.OLEAUT32 ref: 00887895
StringFromGUID2.OLE32(?,?,00000028), ref: 008878AF
SysAllocString.OLEAUT32(?), ref: 008878BD

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 77120bf4a48935c3d55ee3f3c9239ce21b4a22912983c7d2970f394c883e7639
Instruction ID: c9b4c0d7ae8bdda4d9c0b1b9553229eabddd456e3f640a976b066dc98cfc948a
Opcode Fuzzy Hash: 77120bf4a48935c3d55ee3f3c9239ce21b4a22912983c7d2970f394c883e7639
Instruction Fuzzy Hash: 38217431608108AFDB10AFA8DC88DAA77FCFB497607208135F915CB2A1DA70DD41CB78

Function 008904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0089052E

Strings

nul, xrefs: 00890567

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e354eab677d06e378f09dd9fbc0564fc8a12d44352c2c19d3a24ccf565dd7252
Instruction ID: 7ea7601bae8db50d64e8a15ae51a74b34b94ca9246eaa9256720b226936851d4
Opcode Fuzzy Hash: e354eab677d06e378f09dd9fbc0564fc8a12d44352c2c19d3a24ccf565dd7252
Instruction Fuzzy Hash: 9B216D75500305AFDF20AF69DC44A9A77B8FF44764F654A29F8A1E62E0D7709940CF20

Function 008905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00890601

Strings

nul, xrefs: 00890639

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a229d6cb33cf9de0653b963c500b03c47de6f43606c2224c1750ccf9bdb9c443
Instruction ID: 9bb2b30ba2dabd958bfe864b8887c2b1c14cd02c17e880a6020e55f0133af672
Opcode Fuzzy Hash: a229d6cb33cf9de0653b963c500b03c47de6f43606c2224c1750ccf9bdb9c443
Instruction Fuzzy Hash: 7D2151755003059FDF21AF699C04A9A77E8FFA5724F240B19F8A1E72E0D7709960CF20

Function 008B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0082600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0082604C
Part of subcall function 0082600E: GetStockObject.GDI32(00000011), ref: 00826060
Part of subcall function 0082600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0082606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008B4145

Strings

Msctls_Progress32, xrefs: 008B40E3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 67a06b6b8977975554608ab7439cb3333ef34e216fd607255eda5a6ca48451f5
Instruction ID: 952cb7745f472d7e136d448c5091c4cc58fe5c279b73d4cec6ecf35248bc3162
Opcode Fuzzy Hash: 67a06b6b8977975554608ab7439cb3333ef34e216fd607255eda5a6ca48451f5
Instruction Fuzzy Hash: C71190B215021DBEEF119E68CC86EE77F9DFF19798F004111BA18E2150C6729C61DBA4

Function 0085D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0085D7A3: _free.LIBCMT ref: 0085D7CC

_free.LIBCMT ref: 0085D82D

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 0085D838
_free.LIBCMT ref: 0085D843
_free.LIBCMT ref: 0085D897
_free.LIBCMT ref: 0085D8A2
_free.LIBCMT ref: 0085D8AD
_free.LIBCMT ref: 0085D8B8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 054db6233d99eb8f1647700af4086d67aded4711d33133fc6d2e4356e3c61c67
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1D115E71540B04AAD631BFB4CC47FCB7FDCFF09702F400825BE99E6992DA65B5098662

Function 0088DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0088DA74
LoadStringW.USER32(00000000), ref: 0088DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0088DA91
LoadStringW.USER32(00000000), ref: 0088DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0088DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0088DAB9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f10742a4176b448957fd040c09727578ddc549ccdf18b4f1c30a5b570b368c2e
Instruction ID: 9c8aaf8a9f7c61de01b4df8fd56186fc2d1482be967c216aca263f407c3c2b4d
Opcode Fuzzy Hash: f10742a4176b448957fd040c09727578ddc549ccdf18b4f1c30a5b570b368c2e
Instruction Fuzzy Hash: B2016DF29002187FE711ABE49D89EEB376CFB08305F400596B746E2081EA749E848F74

Function 0089096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D1E7A8,00D1E7A8), ref: 0089097B
EnterCriticalSection.KERNEL32(00D1E788,00000000), ref: 0089098D
TerminateThread.KERNEL32(?,000001F6), ref: 0089099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008909A9
CloseHandle.KERNEL32(?), ref: 008909B8
InterlockedExchange.KERNEL32(00D1E7A8,000001F6), ref: 008909C8
LeaveCriticalSection.KERNEL32(00D1E788), ref: 008909CF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f2e7bcd1f56bc3becf0efaca2fb627b24ae6bc6f8c42f2ca9c6ef4d34404bbe1
Instruction ID: 1c94ef795818474013df098cb305bdd8854658ddf97e3fb21030300c42ec5d87
Opcode Fuzzy Hash: f2e7bcd1f56bc3becf0efaca2fb627b24ae6bc6f8c42f2ca9c6ef4d34404bbe1
Instruction Fuzzy Hash: 0CF0EC32442A12BFDB555FA4EE8DBD6BB39FF05702F442226F202908A1C7759865CF90

Function 008A1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008A1DE1
WSAGetLastError.WSOCK32 ref: 008A1DF2
htons.WSOCK32(?,?,?,?,?), ref: 008A1EDB
inet_ntoa.WSOCK32(?), ref: 008A1E8C

Part of subcall function 008839E8: _strlen.LIBCMT ref: 008839F2

Part of subcall function 008A3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0089EC0C), ref: 008A3240

_strlen.LIBCMT ref: 008A1F35

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6910b1c558e675b24b5309d8fc0dd745ef8600e5bf252b631ed9fabc624357a4
Instruction ID: 342439b03635bab067f64646bf7fa6ce8016b732e4f24e3574b4a8d441e92705
Opcode Fuzzy Hash: 6910b1c558e675b24b5309d8fc0dd745ef8600e5bf252b631ed9fabc624357a4
Instruction Fuzzy Hash: 83B1EF30204340AFE724DF28C889E2A7BA5FF85318F54855CF4569F6A2DB71ED81CB92

Function 00825D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00825D30
GetWindowRect.USER32(?,?), ref: 00825D71
ScreenToClient.USER32(?,?), ref: 00825D99
GetClientRect.USER32(?,?), ref: 00825ED7
GetWindowRect.USER32(?,?), ref: 00825EF8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7aa54d5cb6debe4e36a82d3214b51049304c03b258240e03d3ef63eb77b27b60
Instruction ID: b371651fed4ab9e4d4ab25ed3d540a04a744f588d6d0095deb06d4758d151c11
Opcode Fuzzy Hash: 7aa54d5cb6debe4e36a82d3214b51049304c03b258240e03d3ef63eb77b27b60
Instruction Fuzzy Hash: 07B17938A0074ADBDB14CFA8C4807EEB7F1FF58310F15951AE8A9D7250DB30AA91DB50

Function 008501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008500D6
__allrem.LIBCMT ref: 008500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0085010B
__allrem.LIBCMT ref: 00850122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00850140

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 87be0afb0d0f8ddc878732bd9dff421bd0098ad9fe155c1300ee7926b07593b3
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C681E772A00B0A9BE7209F6CCC41B6A73E9FF51365F24413EF951D6682EF70D9088B52

Function 008561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008482D9,008482D9,?,?,?,0085644F,00000001,00000001,8BE85006), ref: 00856258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0085644F,00000001,00000001,8BE85006,?,?,?), ref: 008562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008563D8
__freea.LIBCMT ref: 008563E5

Part of subcall function 00853820: RtlAllocateHeap.NTDLL(00000000,?,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6,?,00821129), ref: 00853852

__freea.LIBCMT ref: 008563EE
__freea.LIBCMT ref: 00856413

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b218fbf1546f4de9f413552c7e4dc9299adef6904fe52c4e365575f7b447b8d3
Instruction ID: 32f1586825b6b3b1fcfa8a6f94809f0ad4f1ddc67f8066294743e4138ec22902
Opcode Fuzzy Hash: b218fbf1546f4de9f413552c7e4dc9299adef6904fe52c4e365575f7b447b8d3
Instruction Fuzzy Hash: 9751C072A00216ABEF258F68CC81EEF7BA9FB44752F554629FC05D7240EB34DC68C661

Function 008ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 008AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008AB6AE,?,?), ref: 008AC9B5
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008AC9F1
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA68
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008ABD25
RegCloseKey.ADVAPI32(00000000), ref: 008ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008ABDF3
RegCloseKey.ADVAPI32(?), ref: 008ABDFF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 623089210ab80ea340692f9d4636bb744a97858aacd7eafa5df6106e864072ab
Instruction ID: 1aaec271e32be6c9dcd13963c9c1a12f02b310dffa920434c40751e61e19ec75
Opcode Fuzzy Hash: 623089210ab80ea340692f9d4636bb744a97858aacd7eafa5df6106e864072ab
Instruction Fuzzy Hash: 6F818F71208241EFD714DF24C895E2ABBE5FF85308F14896CF5998B2A2DB31ED45CB92

Function 0087F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0087F7B9
SysAllocString.OLEAUT32(00000001), ref: 0087F860
VariantCopy.OLEAUT32(0087FA64,00000000), ref: 0087F889
VariantClear.OLEAUT32(0087FA64), ref: 0087F8AD
VariantCopy.OLEAUT32(0087FA64,00000000), ref: 0087F8B1
VariantClear.OLEAUT32(?), ref: 0087F8BB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 936c5520202094cd625d6ec8b655ef1e2fbaf61e237a18587afe95252394036c
Instruction ID: d6776a27d986a6ae55aee5d81f96d5bd2195b19f5fa726393ce5f06e53024d99
Opcode Fuzzy Hash: 936c5520202094cd625d6ec8b655ef1e2fbaf61e237a18587afe95252394036c
Instruction Fuzzy Hash: 2751B531500314AACF10AB6AD895769B7A4FF45314F24D466EB09EF29BDB70CC40D7A7

Function 0089910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00827620: _wcslen.LIBCMT ref: 00827625

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008994E5
_wcslen.LIBCMT ref: 00899506
_wcslen.LIBCMT ref: 0089952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00899585

Strings

X, xrefs: 00899412

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c89196597bc2ad945d0b1f2f2dba0d80ca7e7a9722b8ce3725ee1bd956f1576b
Instruction ID: 5eb0a435737c0040e67540e28008be2efa0c2a3e596940e21937f7167eed8c2c
Opcode Fuzzy Hash: c89196597bc2ad945d0b1f2f2dba0d80ca7e7a9722b8ce3725ee1bd956f1576b
Instruction Fuzzy Hash: BFE18F315043509FDB14EF28D881A6AB7E4FF84314F09896DE899DB3A2DB31DD45CB92

Function 0083920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

BeginPaint.USER32(?,?,?), ref: 00839241
GetWindowRect.USER32(?,?), ref: 008392A5
ScreenToClient.USER32(?,?), ref: 008392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008392D3
EndPaint.USER32(?,?,?,?,?), ref: 00839321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008771EA

Part of subcall function 00839339: BeginPath.GDI32(00000000), ref: 00839357

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6142b6fd07dc453860f84b8ef97ccadaa445d1159eead32ed1a931d530a918ef
Instruction ID: 5110df22e336143018812b61c8e1d7714a61a88d6fe01e6c47ff1812b6c8766c
Opcode Fuzzy Hash: 6142b6fd07dc453860f84b8ef97ccadaa445d1159eead32ed1a931d530a918ef
Instruction Fuzzy Hash: FC419270104201EFDB11DF28CC88FBA7BA8FB95324F140669F9A5D72A1D7B19845DBA2

Function 008907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0089080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00890847
EnterCriticalSection.KERNEL32(?), ref: 00890863
LeaveCriticalSection.KERNEL32(?), ref: 008908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00890921

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: cf6e1d84320c41d24f9ffec6d291cc67c146395af6d43a22e55d9d14e310fa77
Instruction ID: 805a2037bcd5bb033e1bd96a2e88b968ae1a533dcba19da33ae9214653f3fd2e
Opcode Fuzzy Hash: cf6e1d84320c41d24f9ffec6d291cc67c146395af6d43a22e55d9d14e310fa77
Instruction Fuzzy Hash: 0D415671A00205AFDF14AF58DC85AAA77B9FF44300F1440A9E900EE297DB30DE60DBA1

Function 008B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0087F3AB,00000000,?,?,00000000,?,0087682C,00000004,00000000,00000000), ref: 008B824C
EnableWindow.USER32(?,00000000), ref: 008B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008B82D1
ShowWindow.USER32(?,00000004), ref: 008B82E5
EnableWindow.USER32(?,00000001), ref: 008B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008B832F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e8dd5f250e56aab4bbcc1716209f944f4c97dacad1d9b0f0dd79e3853a95ff05
Instruction ID: c1a94ba256244619a12a19b7c4ce78b5fd75f37adb70cd9dc5cd60136c35c0c8
Opcode Fuzzy Hash: e8dd5f250e56aab4bbcc1716209f944f4c97dacad1d9b0f0dd79e3853a95ff05
Instruction Fuzzy Hash: AB416034601644EFDF26CF25C899FE57FE5FB1A714F1842A9E5088B3A2CB71A841CB90

Function 00884C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00884C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00884CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00884CEA
_wcslen.LIBCMT ref: 00884D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00884D10
_wcsstr.LIBVCRUNTIME ref: 00884D1A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c1b133951488faa36086d1bd5266cdad2364c852dadcc8231442950f4375904c
Instruction ID: 755797299c70b6fce12da170c13d2cfa1cf7e257faa8c6287abc339d082224b1
Opcode Fuzzy Hash: c1b133951488faa36086d1bd5266cdad2364c852dadcc8231442950f4375904c
Instruction Fuzzy Hash: 60212633604206BBEB656B39EC09E7B7B9CFF45754F10902EF805CA192EA61DC0093A1

Function 0089581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00823AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00823A97,?,?,00822E7F,?,?,?,00000000), ref: 00823AC2

_wcslen.LIBCMT ref: 0089587B
CoInitialize.OLE32(00000000), ref: 00895995
CoCreateInstance.OLE32(008BFCF8,00000000,00000001,008BFB68,?), ref: 008959AE
CoUninitialize.OLE32 ref: 008959CC

Strings

.lnk, xrefs: 00895876, 008958C1, 00895985

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 05c6ac80fd10a71a1186d3d0505fb2d1ad8f45789226cd8f712e997f4d931046
Instruction ID: 0340783ddb6af0e60283a1511d616139ed0aeb9fe2ced9dbd037f3b31dbc22e3
Opcode Fuzzy Hash: 05c6ac80fd10a71a1186d3d0505fb2d1ad8f45789226cd8f712e997f4d931046
Instruction Fuzzy Hash: 3FD163716047119FCB04EF29D480A2ABBE1FF89724F188859F889DB361DB31ED45CB92

Function 0088175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00880FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00880FCA
Part of subcall function 00880FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00880FD6
Part of subcall function 00880FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00880FE5
Part of subcall function 00880FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00880FEC
Part of subcall function 00880FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00881002

GetLengthSid.ADVAPI32(?,00000000,00881335), ref: 008817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008817BA
HeapAlloc.KERNEL32(00000000), ref: 008817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008817DA
GetProcessHeap.KERNEL32(00000000,00000000,00881335), ref: 008817EE
HeapFree.KERNEL32(00000000), ref: 008817F5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 209dfce4b095cf8d7015ec141ab7e8f18e3d76521ea5a0c7f20ac9163339277e
Instruction ID: 7e1cbbcc0549398b99f05fa2dca03c946694d4f4af566679eb82739fc2c16a65
Opcode Fuzzy Hash: 209dfce4b095cf8d7015ec141ab7e8f18e3d76521ea5a0c7f20ac9163339277e
Instruction Fuzzy Hash: F6119772600205EBDF10AFA8DC49BAE7BADFB41359F104119F481E7214CB36A946CB60

Function 008814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00881506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00881515
CloseHandle.KERNEL32(00000004), ref: 00881520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0088154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00881563

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a3440a150f9c49c30348fe196e8f698e6800a444f14ea2bb9814169c07f208c3
Instruction ID: 101fac8515ea499087dda2a0805f8c3358dd6c704a38f0392c8f327d49ef7469
Opcode Fuzzy Hash: a3440a150f9c49c30348fe196e8f698e6800a444f14ea2bb9814169c07f208c3
Instruction Fuzzy Hash: E611567250420DABDF119FA8ED49FDE7BAEFF48708F044124FA05A2160C7718E62DB60

Function 00843382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00843379,00842FE5), ref: 00843390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0084339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008433B7
SetLastError.KERNEL32(00000000,?,00843379,00842FE5), ref: 00843409

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 322430cb16a2dfa944bb91342703bcd5b37a5130ddeb36e7cd4f6d187418f728
Instruction ID: c79fc6acced7ef97e874ba0b2653f08f5d4323470b4c803ad26be14959dd2964
Opcode Fuzzy Hash: 322430cb16a2dfa944bb91342703bcd5b37a5130ddeb36e7cd4f6d187418f728
Instruction Fuzzy Hash: 6501F733A0972ABFA6292B787CC5A672F94FB257797200329F420C53F1FF114E026544

Function 00852D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00855686,00863CD6,?,00000000,?,00855B6A,?,?,?,?,?,0084E6D1,?,008E8A48), ref: 00852D78
_free.LIBCMT ref: 00852DAB
_free.LIBCMT ref: 00852DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0084E6D1,?,008E8A48,00000010,00824F4A,?,?,00000000,00863CD6), ref: 00852DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0084E6D1,?,008E8A48,00000010,00824F4A,?,?,00000000,00863CD6), ref: 00852DEC
_abort.LIBCMT ref: 00852DF2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7f7d5586f492539a7a183091b987d6293de6b7bbae9680feb39968f59fbd5032
Instruction ID: f5bb3f9ab0246e1b44e5afd211f53b67c75a94c3ac009a9af80f1b782852c155
Opcode Fuzzy Hash: 7f7d5586f492539a7a183091b987d6293de6b7bbae9680feb39968f59fbd5032
Instruction Fuzzy Hash: 3CF0A432544A046BC212373CAC06E5A2A69FBC37A7F244519FC24E2292EF24880E4162

Function 008B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00839639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00839693
Part of subcall function 00839639: SelectObject.GDI32(?,00000000), ref: 008396A2
Part of subcall function 00839639: BeginPath.GDI32(?), ref: 008396B9
Part of subcall function 00839639: SelectObject.GDI32(?,00000000), ref: 008396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008B8A70
LineTo.GDI32(?,00000000,00000003), ref: 008B8A80
EndPath.GDI32(?), ref: 008B8A90
StrokePath.GDI32(?), ref: 008B8AA0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ced089823e5619f5972ec0a9a21f46284766c1e0c68f43d5192c56075fb5afe8
Instruction ID: 8dbaf112088da70ffd64852db0c06739dfe8db1812a40728f8b103431a2c4a07
Opcode Fuzzy Hash: ced089823e5619f5972ec0a9a21f46284766c1e0c68f43d5192c56075fb5afe8
Instruction Fuzzy Hash: 03110576400119FFEF129F94DC88EAA7F6CFB08390F008122FA599A1A1D7719D55DFA0

Function 008851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00885218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00885229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00885230
ReleaseDC.USER32(00000000,00000000), ref: 00885238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0088524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00885261

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: abc2ed9751a64cc071a278bfa05790d414bf938c2ff083cd0ec7708b9a5fef93
Instruction ID: de700759f9412719621b7ab873a3f0a6d641980281246608eb8b15ef99683359
Opcode Fuzzy Hash: abc2ed9751a64cc071a278bfa05790d414bf938c2ff083cd0ec7708b9a5fef93
Instruction Fuzzy Hash: A1016275E40718BBEB10ABAA9C49E5EBFB8FF48751F044165FA04E7291DA709C00CFA0

Function 00821BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00821BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00821BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00821C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00821C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00821C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00821C22

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6e7c39a2687ec14d8c2d81263f08c6392070172a180d88fa738f2bfb85848607
Instruction ID: be596a76f7549e4a8ab4e39f15ad1a29e936905b34182a58a4acc5f0ce722efc
Opcode Fuzzy Hash: 6e7c39a2687ec14d8c2d81263f08c6392070172a180d88fa738f2bfb85848607
Instruction Fuzzy Hash: 3B0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0088EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0088EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0088EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0088EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0088EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0088EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0088EB75

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 4cafdfdc92ee2ef8e28a4a2baf0ded3777bb1fc938e33b7bc249d22e959e5467
Instruction ID: 8f7c097e189b62b045c58b611461e93eca7814aa85447e3519cdd6827ae71914
Opcode Fuzzy Hash: 4cafdfdc92ee2ef8e28a4a2baf0ded3777bb1fc938e33b7bc249d22e959e5467
Instruction Fuzzy Hash: BCF01772240158BBE6215B629C0EEEB7B7CFBCBB11F000269FA11E1191A6A05A0186B5

Function 00877439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00877452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00877469
GetWindowDC.USER32(?), ref: 00877475
GetPixel.GDI32(00000000,?,?), ref: 00877484
ReleaseDC.USER32(?,00000000), ref: 00877496
GetSysColor.USER32(00000005), ref: 008774B0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 7aacc2dca4cfe15daccdfeca4a7b507fa30a7b9e29f577bcf1a5b0a8c9923392
Instruction ID: 6cac793bd4000f6d131ed6bf719b371d673d1d95e8162072d32d71e6f68f849d
Opcode Fuzzy Hash: 7aacc2dca4cfe15daccdfeca4a7b507fa30a7b9e29f577bcf1a5b0a8c9923392
Instruction Fuzzy Hash: 89014B31400219EFDB515F64DC08FAA7BB5FB04315F514264FA19A21A1CB315E51EB50

Function 00881874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0088187F
UnloadUserProfile.USERENV(?,?), ref: 0088188B
CloseHandle.KERNEL32(?), ref: 00881894
CloseHandle.KERNEL32(?), ref: 0088189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008818A5
HeapFree.KERNEL32(00000000), ref: 008818AC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c1d0dda42be1e202b89db95ea7d9e018747eb0d5bcee55d27c9ae3819ca45ae7
Instruction ID: ded2cdadd5451f97da8a292d4e79c36f6238d6ec96ab62a2126c4aad648fb3c2
Opcode Fuzzy Hash: c1d0dda42be1e202b89db95ea7d9e018747eb0d5bcee55d27c9ae3819ca45ae7
Instruction Fuzzy Hash: A9E0E576004101BBDB015FA9ED0C90AFF79FF49B22B508321F22591170CB329420DF60

Function 0088C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00827620: _wcslen.LIBCMT ref: 00827625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0088C6EE
_wcslen.LIBCMT ref: 0088C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0088C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0088C7CA

Strings

0, xrefs: 0088C6AF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 70ad16f079d46767438fa79080b0e88855c5f7f7b782eea97bf32179be2e9290
Instruction ID: 6cf86d6b907520d2f0a32eab484ac535b95ac772b964c6428cc6933facf56f1e
Opcode Fuzzy Hash: 70ad16f079d46767438fa79080b0e88855c5f7f7b782eea97bf32179be2e9290
Instruction Fuzzy Hash: B051CE716143019BD724FF2CC885A6B77E8FF99314F040A2DFA95D31A9EB70D9048BA2

Function 008AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008AAEA3

Part of subcall function 00827620: _wcslen.LIBCMT ref: 00827625

GetProcessId.KERNEL32(00000000), ref: 008AAF38
CloseHandle.KERNEL32(00000000), ref: 008AAF67

Strings

<, xrefs: 008AAE6B
@, xrefs: 008AAE72

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c87c42f0cd49b964e0b5be902367e8dc1062932c91712dab2c107c73056df5f9
Instruction ID: cab932fe531ee9f74e33c9a75e33bcbc1f41299ee897e1b082d982f70c18c763
Opcode Fuzzy Hash: c87c42f0cd49b964e0b5be902367e8dc1062932c91712dab2c107c73056df5f9
Instruction Fuzzy Hash: D0716A70A00219DFDB18DF58D484A9EBBF0FF09310F048499E856ABB52CB74ED81CB92

Function 0088719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00887206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0088723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0088724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008872CF

Strings

DllGetClassObject, xrefs: 00887242

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 306a00885446eef4dc1f051c14614783e20363ea8bb9ebc5abd506c4415613bb
Instruction ID: aef0593f6160376237d1ea6d4e88ccf0b5f588515e41a7b10fe8545d45fc5e84
Opcode Fuzzy Hash: 306a00885446eef4dc1f051c14614783e20363ea8bb9ebc5abd506c4415613bb
Instruction Fuzzy Hash: D3416F71A04208EFDB15DF54C884A9A7BB9FF45314F2480A9BD0AEF21AD7B1D944CBA0

Function 008B3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008B3E35
IsMenu.USER32(?), ref: 008B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008B3E92
DrawMenuBar.USER32 ref: 008B3EA5

Strings

0, xrefs: 008B3D89

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 7e24f3124adb3013733216f5866f1e326096ddbd97ef5a5ccf768261af2a3c8a
Instruction ID: 0c4747cff6b06d4bb70f25580ed1e2067a4f494d44723cb0762a8ab669449af4
Opcode Fuzzy Hash: 7e24f3124adb3013733216f5866f1e326096ddbd97ef5a5ccf768261af2a3c8a
Instruction Fuzzy Hash: 5C411275A01209EFDB20DF64D884AEABBB9FF49354F04412AE905AB750D730EE44CBA0

Function 00881DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00881E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00881E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00881EA9

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

Strings

ListBox, xrefs: 00881E25
ComboBox, xrefs: 00881DF0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 85a7b6f355aba63690d955473e40982d3b4edb435499b076ae0f4b1a7273f114
Instruction ID: b923767e4dc4b9866d1989a722571c8ab2270e6633a7fedfacaf1fae144e57fa
Opcode Fuzzy Hash: 85a7b6f355aba63690d955473e40982d3b4edb435499b076ae0f4b1a7273f114
Instruction Fuzzy Hash: C421E471A00108ABDB14AB68EC49CFFB7ADFF56364B144129F825E72E1DB7449468720

Function 008B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008B2F8D
LoadLibraryW.KERNEL32(?), ref: 008B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008B2FA9
DestroyWindow.USER32(?), ref: 008B2FB1

Strings

SysAnimate32, xrefs: 008B2F68

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: cee7518ad3997fc7ead7081c87ca554b09a310851fb3de4dcfd9252846f015fd
Instruction ID: 66cf679f4554ecb5ffa9b38953055e9d2fa1b377b8c6761ffa55b42727eb1a0b
Opcode Fuzzy Hash: cee7518ad3997fc7ead7081c87ca554b09a310851fb3de4dcfd9252846f015fd
Instruction Fuzzy Hash: F4218C71214209ABEF205F64DC84EFB77B9FB59364F104628F950D6390DB71DC919760

Function 00844D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00844D1E,008528E9,?,00844CBE,008528E9,008E88B8,0000000C,00844E15,008528E9,00000002), ref: 00844D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00844DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00844D1E,008528E9,?,00844CBE,008528E9,008E88B8,0000000C,00844E15,008528E9,00000002,00000000), ref: 00844DC3

Strings

CorExitProcess, xrefs: 00844D98
mscoree.dll, xrefs: 00844D86

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d2e37efcd2959def67e4a404c899bf4ddc21380f12510dd7d169e14002ae1179
Instruction ID: 16ba808345e2b026fbbcc3ff8cb0fa9611cd5a3cc50713f0224b85f209e01df6
Opcode Fuzzy Hash: d2e37efcd2959def67e4a404c899bf4ddc21380f12510dd7d169e14002ae1179
Instruction Fuzzy Hash: 44F04935A4021CFBDB159F94DC49BAEBBB9FF44752F0001A8F90AE2260CB759A44DE91

Function 0087D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0087D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0087D3BF
FreeLibrary.KERNEL32(00000000), ref: 0087D3E5

Strings

X64, xrefs: 0087D2A8
GetSystemWow64DirectoryW, xrefs: 0087D3B9

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 8bf23a61de33eda616b5953dc36c4d9b482dc7977c7208d5f34d718eecb07786
Instruction ID: d1498792d1bc33bef72434598a940278fbacf075252e1770b5c1f32b1c0778fb
Opcode Fuzzy Hash: 8bf23a61de33eda616b5953dc36c4d9b482dc7977c7208d5f34d718eecb07786
Instruction Fuzzy Hash: 3FF05531801B248BC77057148C5896E7334FF21B05F55C254FA0EF636EEB60DC4686D2

Function 00824E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00824EDD,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00824EAE
FreeLibrary.KERNEL32(00000000,?,?,00824EDD,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00824EA8
kernel32.dll, xrefs: 00824E94

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 8b8c062ce5670ab6e550b0defb20f9f35353110698825672767725ec3d893c3a
Instruction ID: 397285f2be94e52c3d7f64a0fb161be155f0e910b48e361d9c42a0d9a9736ca8
Opcode Fuzzy Hash: 8b8c062ce5670ab6e550b0defb20f9f35353110698825672767725ec3d893c3a
Instruction Fuzzy Hash: 58E08639A016325BA2311B29BC18A5F7658FF81F727060215FC10E2300DBA4CD4240B0

Function 00824E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00863CDE,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00824E74
FreeLibrary.KERNEL32(00000000,?,?,00863CDE,?,008F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00824E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00824E6E
kernel32.dll, xrefs: 00824E5B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5e24a078feaa7a1b9025964266ddc51f73bd1138c436d6d7243d1675dbd04a12
Instruction ID: 5eb56b319fb2637dcc527cde878c5dc768dc815edbb32ef02f9397cda878414b
Opcode Fuzzy Hash: 5e24a078feaa7a1b9025964266ddc51f73bd1138c436d6d7243d1675dbd04a12
Instruction Fuzzy Hash: E9D01239502632576A221B297C1CD8F7B18FF85B713460615F915F6224CF64CD4285F0

Function 00892947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00892C05
DeleteFileW.KERNEL32(?), ref: 00892C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00892C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00892CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00892CC0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0928e630c0b0aafc8798c53e2ef61c9955c8c3738595822b6b2ff7133665e698
Instruction ID: 96a616efab4f18c419453c464a31fd4d3619e0c50f6550cd6e8d26158f91589c
Opcode Fuzzy Hash: 0928e630c0b0aafc8798c53e2ef61c9955c8c3738595822b6b2ff7133665e698
Instruction Fuzzy Hash: 13B13F72D0012DABDF21EBA8CC85EDEB7BDFF49354F1440A6F509E6151EA309A448F61

Function 008AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008AA468
CloseHandle.KERNEL32(?), ref: 008AA63D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: c091d9c205b35af916f14c4ad8faac907f3eda66ff8ae2c5f981cdaa748172ba
Instruction ID: cd8e5de334048449d0dd3a4f8c1330061d3f9924ef554ee72d65ae551a2f97a2
Opcode Fuzzy Hash: c091d9c205b35af916f14c4ad8faac907f3eda66ff8ae2c5f981cdaa748172ba
Instruction Fuzzy Hash: 9FA17C716043009FE724DF28D886B2AB7E5FB88714F14881DF55ADB692DBB0EC41CB92

Function 0085BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008C3700), ref: 0085BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0085BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008F1270,000000FF,?,0000003F,00000000,?), ref: 0085BC36
_free.LIBCMT ref: 0085BB7F

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 0085BD4B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9b1cb538e450f263edafb964faee35be8aae5feb6df0cace06c9f9a446437d9d
Instruction ID: f5c42dc3c16121aae2107dbdd85d853d11f76c51281b0da2d5630aaac5b173a0
Opcode Fuzzy Hash: 9b1cb538e450f263edafb964faee35be8aae5feb6df0cace06c9f9a446437d9d
Instruction Fuzzy Hash: 93510971900209EFCB10DFB99C85DBEB7B8FF51362B10026AE950E7291EB709D49CB51

Function 0088E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0088DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0088CF22,?), ref: 0088DDFD

Part of subcall function 0088DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0088CF22,?), ref: 0088DE16

Part of subcall function 0088E199: GetFileAttributesW.KERNEL32(?,0088CF95), ref: 0088E19A

lstrcmpiW.KERNEL32(?,?), ref: 0088E473
MoveFileW.KERNEL32(?,?), ref: 0088E4AC
_wcslen.LIBCMT ref: 0088E5EB
_wcslen.LIBCMT ref: 0088E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0088E650

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 060d70ac2dfab1f86d143cfe4f0f667c5753c4b0b82c6980f3ece26fdd790d14
Instruction ID: 549350bd5d2bb0c02802f1002ea2551504f0e39fe75946cf236073528f7b6444
Opcode Fuzzy Hash: 060d70ac2dfab1f86d143cfe4f0f667c5753c4b0b82c6980f3ece26fdd790d14
Instruction Fuzzy Hash: 1D512EB24087455BC724EBA4D8819DFB7ECFF94340F00492EE589D3191EF74A688876B

Function 008AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 008AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008AB6AE,?,?), ref: 008AC9B5
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008AC9F1
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA68
Part of subcall function 008AC998: _wcslen.LIBCMT ref: 008ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008ABB63
RegCloseKey.ADVAPI32(?,?), ref: 008ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 008ABBB3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 336185b373edc91950499ffc2a404b4b1a9c7f207f45f41c2554d80d9dea180c
Instruction ID: 7d270c499ad617a25aae72b14057f6a4ec6c0aa20bc3ef361e66fbc216eb71cb
Opcode Fuzzy Hash: 336185b373edc91950499ffc2a404b4b1a9c7f207f45f41c2554d80d9dea180c
Instruction Fuzzy Hash: 8061A031208245EFD314DF24C490E2ABBE5FF85318F54856CF4998B6A2DB31ED46CBA2

Function 00888BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00888BCD
VariantClear.OLEAUT32 ref: 00888C3E
VariantClear.OLEAUT32 ref: 00888C9D
VariantClear.OLEAUT32(?), ref: 00888D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00888D3B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 89abc530be6b1e4b07761088793ed891c362a499ee95bf8994c39e34ddc7fafe
Instruction ID: ece6abb752760c21f44c72fa94b2e9a26f1e849b4f80bb5ab07c465259b37425
Opcode Fuzzy Hash: 89abc530be6b1e4b07761088793ed891c362a499ee95bf8994c39e34ddc7fafe
Instruction Fuzzy Hash: 735179B5A00219EFCB10DF68C894AAABBF9FF89314B158559F909DB354E730E911CF90

Function 00898AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00898BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00898BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00898C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00898C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00898C5F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c6f53fc7af357c67b5dfb01f9a45a060779261896889a72b2768d4ab856ca938
Instruction ID: dd3512891b36f28875721f527cced3719384b0106add3a92bff4c01f276db436
Opcode Fuzzy Hash: c6f53fc7af357c67b5dfb01f9a45a060779261896889a72b2768d4ab856ca938
Instruction Fuzzy Hash: 6E513835A00219DFCB05EF69C881A69BBF5FF49314F088458E849AB362DB35ED51CB91

Function 008A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008A9032
FreeLibrary.KERNEL32(00000000), ref: 008A9052

Part of subcall function 0083F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00891043,?,7529E610), ref: 0083F6E6
Part of subcall function 0083F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0087FA64,00000000,00000000,?,?,00891043,?,7529E610,?,0087FA64), ref: 0083F70D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 473a2e50c12b673df95c8f1c91db358712c6eb6793607114dd2584a5b141517c
Instruction ID: 96330b1129c866658c4c98c1f895bc833ce90d57fa5a2f2365f7c455b5b5665b
Opcode Fuzzy Hash: 473a2e50c12b673df95c8f1c91db358712c6eb6793607114dd2584a5b141517c
Instruction Fuzzy Hash: FC512634605615DFDB11DF58C4848A9BBF1FF4A314B0980A8E84AEB762DB31ED86CB91

Function 008B6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0089AB79,00000000,00000000), ref: 008B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008B6CC7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: bc34d0a75cd2b592dd4a85a5bd33c01afa20ec8762045f84d5c2852db6015299
Instruction ID: 9d4ea9361c48876c3f21aa04c1742d02cdea7c1b1d59bc889e3b62f2dea16832
Opcode Fuzzy Hash: bc34d0a75cd2b592dd4a85a5bd33c01afa20ec8762045f84d5c2852db6015299
Instruction Fuzzy Hash: C641A235A04108AFDB24CF28CC68FE97FA5FB09360F140268E995E73A0E375AD61CA50

Function 00852051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008520C3
_free.LIBCMT ref: 008520E3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11557e36bafb9c7db61791e87387cb8ec1e31a0ec38ad1e9cc5ab3a172d228f0
Instruction ID: 30f3dfafd188ba289d1245c0d72946a47ea55e218dffabf03321b8cd3100445a
Opcode Fuzzy Hash: 11557e36bafb9c7db61791e87387cb8ec1e31a0ec38ad1e9cc5ab3a172d228f0
Instruction Fuzzy Hash: 5B41D132E006049FCB24DF78C981A5EB7A5FF8A315F1545A8EA15EB392DB31AD05CB81

Function 0083912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00839141
ScreenToClient.USER32(00000000,?), ref: 0083915E
GetAsyncKeyState.USER32(00000001), ref: 00839183
GetAsyncKeyState.USER32(00000002), ref: 0083919D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cf087b5d10f8414c314743925f62db225b70b42662a32622ffd6a283d8705db6
Instruction ID: 3b20dd26bf348f8a1b39b0f64fc933238eeaf21dc279ded487b7e22565ca0b29
Opcode Fuzzy Hash: cf087b5d10f8414c314743925f62db225b70b42662a32622ffd6a283d8705db6
Instruction Fuzzy Hash: 5C416F31A0860AFBDF159F68C844BEEB774FB45324F208229E469E3294C774A950CFA1

Function 00893874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00893922
TranslateMessage.USER32(?), ref: 0089394B
DispatchMessageW.USER32(?), ref: 00893955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00893966

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d1e6fec1705dd191bb508543173caeb0e81758fa5b0774a51d4ccec6b10dcda5
Instruction ID: 879032ed9b21ec134d810e24297fff0de603682d75e5ca583f297f23fac7d469
Opcode Fuzzy Hash: d1e6fec1705dd191bb508543173caeb0e81758fa5b0774a51d4ccec6b10dcda5
Instruction Fuzzy Hash: 3A31DF70904346DEEF35EB359808FB67FA8FB16304F0C0569E466D25A0E3B4AA85CB21

Function 0089CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0089C21E,00000000), ref: 0089CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0089CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0089C21E,00000000), ref: 0089CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0089C21E,00000000), ref: 0089CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0089C21E,00000000), ref: 0089CFF2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 528a017457b38cb56dc0934fe2e2b1448272e76701bdfe3240db302e84cc7089
Instruction ID: 1b203483d415b8898bc978f1dcfc54f04ed5bfd19af9bbe6e4e319685998011d
Opcode Fuzzy Hash: 528a017457b38cb56dc0934fe2e2b1448272e76701bdfe3240db302e84cc7089
Instruction Fuzzy Hash: 7A315E71900609EFDF20EFA9C8849ABBBF9FF54354B14442EF506D2141DB71AE40DBA0

Function 00881901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00881915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008819E2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a3ffc4659fa722e15322113bbca8073d29c20e037b001088b4e3656e87fc61ca
Instruction ID: 3d15048e061d90103fa53febdb88d8b77f3b1c0c4b182f1cd849ea28f0cbabc5
Opcode Fuzzy Hash: a3ffc4659fa722e15322113bbca8073d29c20e037b001088b4e3656e87fc61ca
Instruction Fuzzy Hash: 44319C71A00219EFCB00DFA8CD9DAAE3BB9FB05315F104229F961E72D1CBB09945CB90

Function 008B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008B579D
_wcslen.LIBCMT ref: 008B57AF
_wcslen.LIBCMT ref: 008B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008B5816

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6fb2071cee7a7a99386e6b862d88ffdcb9b398a1dfc0e1860fa7eb6b08b8aa7c
Instruction ID: 7bf8912399bd7df3bd2bd82030e4f658bfba7d2f47ca06f55f09be7c01a37462
Opcode Fuzzy Hash: 6fb2071cee7a7a99386e6b862d88ffdcb9b398a1dfc0e1860fa7eb6b08b8aa7c
Instruction Fuzzy Hash: 4A218271904618EADB209FA4DC85BEE7BB8FF14724F108216F929EB2C0D7709985CF54

Function 0083990F Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008398CC
SetTextColor.GDI32(?,?), ref: 008398D6
SetBkMode.GDI32(?,00000001), ref: 008398E9
GetStockObject.GDI32(00000005), ref: 008398F1
GetWindowLongW.USER32(?,000000EB), ref: 00839952

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 803251941eca461a9ea5a9bcd9e6d2db499c38c74217f2162120613d3ad88da0
Instruction ID: 766b5e580df8492cb945f4c6f7a34f0b8c1c94bb73f94cda91594386c656db22
Opcode Fuzzy Hash: 803251941eca461a9ea5a9bcd9e6d2db499c38c74217f2162120613d3ad88da0
Instruction Fuzzy Hash: C33126325492909FC7128F38EC54AA53FA0FF97331B18029DE9D2CA1B1C7724952DB90

Function 008A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008A0951
GetForegroundWindow.USER32 ref: 008A0968
GetDC.USER32(00000000), ref: 008A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008A09B0
ReleaseDC.USER32(00000000,00000003), ref: 008A09E8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 936286eb0ce197282f63c4696be81326685f778e08059a49b592ff7cb5ce0fb3
Instruction ID: 0fd7e2253a1cc7e93a698c973f1f442cb38ece964e91b618ebe91014356730cf
Opcode Fuzzy Hash: 936286eb0ce197282f63c4696be81326685f778e08059a49b592ff7cb5ce0fb3
Instruction Fuzzy Hash: 39218135A00214AFDB04EF69D989AAEBBE9FF49700F04816CF84AD7752CB70AC44CB51

Function 0085CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0085CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0085CDE9

Part of subcall function 00853820: RtlAllocateHeap.NTDLL(00000000,?,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6,?,00821129), ref: 00853852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0085CE0F
_free.LIBCMT ref: 0085CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085CE31

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0986a84061d46e9840685d8c934ad018370f8d3da2f641c1f7163e1c8b386e6b
Instruction ID: df70a40b2259317737924fc7fc79c24567688bb68dbe3b96d6a10bb10900b213
Opcode Fuzzy Hash: 0986a84061d46e9840685d8c934ad018370f8d3da2f641c1f7163e1c8b386e6b
Instruction Fuzzy Hash: C6018F726023157F27211ABAAC8AD7B7E6DFEC6BA23150229FD05D7201EB618D0589B1

Function 00839639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00839693
SelectObject.GDI32(?,00000000), ref: 008396A2
BeginPath.GDI32(?), ref: 008396B9
SelectObject.GDI32(?,00000000), ref: 008396E2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7f480d73f955e7f8920197fdfbb96b1b418c2701304990c27b6cd1beec10e8eb
Instruction ID: dfa282de2b8a6d481c05145f99243ca51ffa1652a24858d3705a2ef21b626a79
Opcode Fuzzy Hash: 7f480d73f955e7f8920197fdfbb96b1b418c2701304990c27b6cd1beec10e8eb
Instruction Fuzzy Hash: 6B216D30902205EBDF119F29DC19BB93FA8FBA0315F504216F450E61A0E3F09892CFD0

Function 00885711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00885726
_memcmp.LIBVCRUNTIME ref: 00885744
_memcmp.LIBVCRUNTIME ref: 00885757
_memcmp.LIBVCRUNTIME ref: 0088576F
_memcmp.LIBVCRUNTIME ref: 00885787

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 650b19fb6b37e6bbcd160c4f4bc4589da55db442ac2cd27f854bc9c4afa49927
Instruction ID: ae0a61a46456851af9c992ef25986c67b631d6dbddc40fc62ebcc6ce1e1af087
Opcode Fuzzy Hash: 650b19fb6b37e6bbcd160c4f4bc4589da55db442ac2cd27f854bc9c4afa49927
Instruction Fuzzy Hash: 2501927564161EBAE60875149D82EFB635CFB213A8F40C020FE14DA342F768ED5083A5

Function 00852DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0084F2DE,00853863,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6), ref: 00852DFD
_free.LIBCMT ref: 00852E32
_free.LIBCMT ref: 00852E59
SetLastError.KERNEL32(00000000,00821129), ref: 00852E66
SetLastError.KERNEL32(00000000,00821129), ref: 00852E6F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c19bd70d84ff07f75b551e83eb746d1cfa251a9fffd83fd2b71470a10ae85452
Instruction ID: 792b99a0e36df28d18a622b11dc2dc5a9f147a008126897c4054804f9145e736
Opcode Fuzzy Hash: c19bd70d84ff07f75b551e83eb746d1cfa251a9fffd83fd2b71470a10ae85452
Instruction Fuzzy Hash: AC01F432645A006BC71267786C87D2B2B99FBD73BBB644129FC21E2293EF349C0D4122

Function 0088000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?,?,0088035E), ref: 0088002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?), ref: 00880046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?), ref: 00880054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?), ref: 00880064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0087FF41,80070057,?,?), ref: 00880070

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9738b11108540665fcf630e27257e5b92508977d6058f45041f80eb65dad2fb9
Instruction ID: 70ddca12f2b1ae9d06bf698d22c8f9cf9b2dc78336e8a618285edf5f84df9d56
Opcode Fuzzy Hash: 9738b11108540665fcf630e27257e5b92508977d6058f45041f80eb65dad2fb9
Instruction Fuzzy Hash: 6C01AD72600605BFDB51AF68DC04BAA7BEDFF48792F144224F905D6210E771DD449BA0

Function 0088E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0088E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0088E9A5
Sleep.KERNEL32(00000000), ref: 0088E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0088E9B7
Sleep.KERNEL32 ref: 0088E9F3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 64ec1cba3fc2a79fae91ffd961d579e956a29a5940e0678c35ca348444a62ae3
Instruction ID: 4523e8ece75ae5b28b8e56fd0c50932bc91ca3c42e5c49d379acb5cffcf54b86
Opcode Fuzzy Hash: 64ec1cba3fc2a79fae91ffd961d579e956a29a5940e0678c35ca348444a62ae3
Instruction Fuzzy Hash: 5C011331D01A2DDBCF00ABE9ED59AEDBF78FF09701F010656E942F2241CB7096548BA2

Function 008810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00881114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 0088112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00880B9B,?,?,?), ref: 00881136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0088114D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 77d93323bcccbcd0ae4ea8998700ffcdcff9f2c21cb50a2c769fcb0d577862e1
Instruction ID: 1163c47039a680696f790f43a84d8fd893b1e2889685ff2baf44208945238af7
Opcode Fuzzy Hash: 77d93323bcccbcd0ae4ea8998700ffcdcff9f2c21cb50a2c769fcb0d577862e1
Instruction Fuzzy Hash: 4F011979200605BFDB115FA9DC4DAAA3F6EFF893A0B204519FA45D7360DE31DC019B60

Function 00880FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00880FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00880FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00880FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00880FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00881002

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cdb968fd5db020faf1e1946b2909336bc41130622b421397fcbbd52eb01b5f6c
Instruction ID: bfa6a92f5dddb742dd2486d0f0e2b6575dabc34fd1293215f6dd263530dd6cde
Opcode Fuzzy Hash: cdb968fd5db020faf1e1946b2909336bc41130622b421397fcbbd52eb01b5f6c
Instruction Fuzzy Hash: FCF04975200701ABDB216FA89C4DF563FADFF89B62F104525FA45D6251CA70DC418A60

Function 00881014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0088102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00881036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00881045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0088104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00881062

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25a9e0236f006b216d79791a4665e3420a59c56c864629389e5530fc4d8f7395
Instruction ID: b2b94eaa05c041626392540b28a4ab323bffa82a78c701c20e63bb859be3d550
Opcode Fuzzy Hash: 25a9e0236f006b216d79791a4665e3420a59c56c864629389e5530fc4d8f7395
Instruction Fuzzy Hash: 49F04975200701ABDB21AFA8EC4DF573FADFF89761F100525FA45D6250CA70E8418A60

Function 0089030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 00890324
CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 00890331
CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 0089033E
CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 0089034B
CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 00890358
CloseHandle.KERNEL32(?,?,?,?,0089017D,?,008932FC,?,00000001,00862592,?), ref: 00890365

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a67595812ecb0845d29dad65dab548031eb2ba8378ea78fb1d73649cb80b00cd
Instruction ID: 408edb30e4d4cf5f8d842cc22e7d7d733cd76859fb2a1ac467bcc10f3cb9fcab
Opcode Fuzzy Hash: a67595812ecb0845d29dad65dab548031eb2ba8378ea78fb1d73649cb80b00cd
Instruction Fuzzy Hash: EC01A272800B159FCB30AF66D880412F7F5FF503153198A3FD19692A31C371A954EF80

Function 0085D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0085D752

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 0085D764
_free.LIBCMT ref: 0085D776
_free.LIBCMT ref: 0085D788
_free.LIBCMT ref: 0085D79A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dde47df4225a5637febab7dd4ae4c964382fce3c4a7f8b8ebc214f326ba33533
Instruction ID: 7dec557a671a2e3547f34d2445dd5e11bad4ed8ea04135df25f98498ebbb43d5
Opcode Fuzzy Hash: dde47df4225a5637febab7dd4ae4c964382fce3c4a7f8b8ebc214f326ba33533
Instruction Fuzzy Hash: E9F06232904358AB8635FB68F9C1D567FDDFB093127A40805FC48EB602CB30FC888661

Function 00885C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00885C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00885C6F
MessageBeep.USER32(00000000), ref: 00885C87
KillTimer.USER32(?,0000040A), ref: 00885CA3
EndDialog.USER32(?,00000001), ref: 00885CBD

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5bd1ee65c6ea364970dc66a1776b0753d3a3f41eac9496d728444371ef4d23e5
Instruction ID: 7c145ce4f2d8db9802031e8f0bb1f71ff064e6598b27834bfff831947396017d
Opcode Fuzzy Hash: 5bd1ee65c6ea364970dc66a1776b0753d3a3f41eac9496d728444371ef4d23e5
Instruction Fuzzy Hash: 96018170500B04ABEB316B50EE4EFA67BB9FB11B05F00165DA583E14E1DBF4A9848F90

Function 008522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008522BE

Part of subcall function 008529C8: HeapFree.KERNEL32(00000000,00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000), ref: 008529DE
Part of subcall function 008529C8: GetLastError.KERNEL32(00000000,?,0085D7D1,00000000,00000000,00000000,00000000,?,0085D7F8,00000000,00000007,00000000,?,0085DBF5,00000000,00000000), ref: 008529F0

_free.LIBCMT ref: 008522D0
_free.LIBCMT ref: 008522E3
_free.LIBCMT ref: 008522F4
_free.LIBCMT ref: 00852305

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab5d33abed9099bfe3ccb74e3314f8dbf315286b4d68f5a0f2b41280ddd1d614
Instruction ID: 327638ac579cbb3ec002d0632501a2a7c28073ea663e75c945c8813a94b41d38
Opcode Fuzzy Hash: ab5d33abed9099bfe3ccb74e3314f8dbf315286b4d68f5a0f2b41280ddd1d614
Instruction Fuzzy Hash: F2F05E748101209F8A12EFB8BC41DA83F64F71A762B00051AF824E63B6CF310816EFE5

Function 008395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008395D4
StrokeAndFillPath.GDI32(?,?,008771F7,00000000,?,?,?), ref: 008395F0
SelectObject.GDI32(?,00000000), ref: 00839603
DeleteObject.GDI32 ref: 00839616
StrokePath.GDI32(?), ref: 00839631

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fd770c88f94220a4a7a089632a6bcfb7707d40b65b59d18b72f91f8881bca418
Instruction ID: 17d0a58f0a7d09945232d3f5c2fafe85aac32f4a11e542857daf625c537dec72
Opcode Fuzzy Hash: fd770c88f94220a4a7a089632a6bcfb7707d40b65b59d18b72f91f8881bca418
Instruction Fuzzy Hash: 0EF03730106608EBDB226F69ED1CB793F65FB50322F448314F4A5A50F0E7B08996DFA0

Function 00850F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008510F9
__freea.LIBCMT ref: 00851117

Part of subcall function 00851537: _free.LIBCMT ref: 0085154F

Strings

am/pm, xrefs: 0085117A
a/p, xrefs: 008511DE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6ae192aff7030181fbc16dd3736c98fd5c25ea1e083e714515d7381dcd29f6a6
Instruction ID: ecd2e40f53dbb97b11ddcc68afd3e6a8d065abbf70c1e87705f6ca2866ec0964
Opcode Fuzzy Hash: 6ae192aff7030181fbc16dd3736c98fd5c25ea1e083e714515d7381dcd29f6a6
Instruction Fuzzy Hash: 0AD1D03190020A9ACF249F68C8ADBFAB7B1FF05706F240159ED01DBB90D3799D88CB91

Function 008A7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00840242: EnterCriticalSection.KERNEL32(008F070C,008F1884,?,?,0083198B,008F2518,?,?,?,008212F9,00000000), ref: 0084024D
Part of subcall function 00840242: LeaveCriticalSection.KERNEL32(008F070C,?,0083198B,008F2518,?,?,?,008212F9,00000000), ref: 0084028A

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 008400A3: __onexit.LIBCMT ref: 008400A9

__Init_thread_footer.LIBCMT ref: 008A7BFB

Part of subcall function 008401F8: EnterCriticalSection.KERNEL32(008F070C,?,?,00838747,008F2514), ref: 00840202
Part of subcall function 008401F8: LeaveCriticalSection.KERNEL32(008F070C,?,00838747,008F2514), ref: 00840235

Strings

G, xrefs: 008A7C7F
Variable must be of type 'Object'., xrefs: 008A7C3A
5, xrefs: 008A7C78

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e00fb0cf2426826e023a6862bff0f3f21f949a990c7de8b3e1ab695c37403cd9
Instruction ID: f151f78f4c8fef578b6395bbf23c23522b9413eb90ada36eca824f86bbeddf11
Opcode Fuzzy Hash: e00fb0cf2426826e023a6862bff0f3f21f949a990c7de8b3e1ab695c37403cd9
Instruction Fuzzy Hash: BB918A70A04209EFDB04EF98D8909BDB7B1FF4A304F108059F906DB692DB71AE85EB51

Function 00882716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0088B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008821D0,?,?,00000034,00000800,?,00000034), ref: 0088B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00882760

Part of subcall function 0088B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0088B3F8

Part of subcall function 0088B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0088B355
Part of subcall function 0088B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00882194,00000034,?,?,00001004,00000000,00000000), ref: 0088B365
Part of subcall function 0088B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00882194,00000034,?,?,00001004,00000000,00000000), ref: 0088B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0088281A

Strings

@, xrefs: 00882832

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9472b3fcb64b1668346078721449f316ae2c17777778b986efa1709231428af6
Instruction ID: 34f58f54379466b7df2a31b193c88d71579e6168854153d747ff56b3c227e9a3
Opcode Fuzzy Hash: 9472b3fcb64b1668346078721449f316ae2c17777778b986efa1709231428af6
Instruction Fuzzy Hash: 29410D76900218BFDB10EBA8CD45ADEBBB8FF49700F104059FA55B7181DB706E45CB61

Function 0085172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00851769
_free.LIBCMT ref: 00851834
_free.LIBCMT ref: 0085183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00851760, 00851767, 00851796, 008517CE

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 29e363d5de06b27941286483541d58b49236fffbd4eed48ec0a8b4fb7e75b39f
Instruction ID: fefee21b81d007d1c3a9f8b5787193eb48e5baa05f2076db7bf14d42bb0924f4
Opcode Fuzzy Hash: 29e363d5de06b27941286483541d58b49236fffbd4eed48ec0a8b4fb7e75b39f
Instruction Fuzzy Hash: C9314175A00218EFDF21DBAD9889EAEBBBCFB89311B144166F904D7211D6B04E48CB91

Function 0088C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0088C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0088C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008F1990,00D256F0), ref: 0088C395

Strings

0, xrefs: 0088C2DF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4be5835d2f65fa5488371d427a6e7a2b2530fd2c7b5bbeb39f9fa0803f0a2216
Instruction ID: 300111c609ac8fdfbc09966aa5a700ea6c5693518dddf30f243c722bbb209c83
Opcode Fuzzy Hash: 4be5835d2f65fa5488371d427a6e7a2b2530fd2c7b5bbeb39f9fa0803f0a2216
Instruction Fuzzy Hash: 9F418C712043019FD720EF29D885B5ABBE8FF85324F148A2DF9A5D7395D730A905CB62

Function 008B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008BCC08,00000000,?,?,?,?), ref: 008B44AA
GetWindowLongW.USER32 ref: 008B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008B44D7

Strings

SysTreeView32, xrefs: 008B447C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ba7880ca345cf238305407f9e7ed0cc1680e11c26a28ec1dcea8980e5390bcaf
Instruction ID: 5cc221d2ebbbf665f0295afe85163a045879706e527ba4dd40ca024305319a70
Opcode Fuzzy Hash: ba7880ca345cf238305407f9e7ed0cc1680e11c26a28ec1dcea8980e5390bcaf
Instruction Fuzzy Hash: 82317C31210605AFDB208E38DC46BEA7BA9FB09334F205725F975E22E1D770AC609760

Function 008A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008A3077,?,?), ref: 008A3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008A307A
_wcslen.LIBCMT ref: 008A309B
htons.WSOCK32(00000000,?,?,00000000), ref: 008A3106

Strings

255.255.255.255, xrefs: 008A3095, 008A309A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 9e961d643ef4d58f468c8d882eee1d46aabd50e47c993628cf0e9855970004ba
Instruction ID: ce34499bf2ea28538ce19d4e499a89e61dc4cba7b14752cb919707c5c3f2e163
Opcode Fuzzy Hash: 9e961d643ef4d58f468c8d882eee1d46aabd50e47c993628cf0e9855970004ba
Instruction Fuzzy Hash: EA31D5352042059FEB10CF68C485E6A77E0FF16318F248069F915CBB92DB71DE45C761

Function 008B3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008B3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008B3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 008B3F78

Strings

SysMonthCal32, xrefs: 008B3F0B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fe949d7b224c94a2425527e833b4c75afc08f4f17aad50f27d45c797064241a0
Instruction ID: 231ae785b624e776746b2b90d5107c1d3806d3bd4734e429e6ab2f0ec7d645dd
Opcode Fuzzy Hash: fe949d7b224c94a2425527e833b4c75afc08f4f17aad50f27d45c797064241a0
Instruction Fuzzy Hash: 0F21BC32610219BBDF218F94DC46FEA3B79FB48714F110214FA15AB2D0DAB1A850CBA0

Function 008B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008B471A

Strings

msctls_updown32, xrefs: 008B4684

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: cb2dc76f2b84d5ca85b3e7a9c638ac75b1ad5fe04553384d9f9699f357fdf254
Instruction ID: f41f41544404f165ecc57f6acc3ed1bfcca901f036074bac7e7398bc839528b6
Opcode Fuzzy Hash: cb2dc76f2b84d5ca85b3e7a9c638ac75b1ad5fe04553384d9f9699f357fdf254
Instruction Fuzzy Hash: BB215EB5600209AFEB10DF68DC86DBB37ADFB5A3A4B040059FA01DB351DB71EC51CA61

Function 008895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088961D

Strings

#OnAutoItStartRegister, xrefs: 008895F3
#requireadmin, xrefs: 008895D9
#notrayicon, xrefs: 008895B7

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 91c6a9ebd93011ef5ac93d40c0bff9001fb5c3b0bd824e605c214f46e23e961c
Instruction ID: 4d6d32ae97b2f33d155eddf36c73b09ccc9b83452c6f09111c876344f106966e
Opcode Fuzzy Hash: 91c6a9ebd93011ef5ac93d40c0bff9001fb5c3b0bd824e605c214f46e23e961c
Instruction Fuzzy Hash: 9D210872204525A6D331FA299C02FBB7398FFA1314F184426F98AD7142FB55AD41C3D6

Function 008B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008B3876

Strings

Listbox, xrefs: 008B380F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 809aee167c13ec829ac24e4475a0f878bc26d14c4bca9fcc8f99c5683435e168
Instruction ID: 65fb2f60acfb634c3845cbb02970194d83a451165f47ebb80085023cf6bbeee2
Opcode Fuzzy Hash: 809aee167c13ec829ac24e4475a0f878bc26d14c4bca9fcc8f99c5683435e168
Instruction Fuzzy Hash: DA218E72610218BBEF218F65DC85EFB376EFF89754F118124F9149B290CA71DC5287A0

Function 008949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00894A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00894A5C
SetErrorMode.KERNEL32(00000000,?,?,008BCC08), ref: 00894AD0

Strings

%lu, xrefs: 00894A6F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 27a2bd5f7235354bda5fcf49e570d3f834f32b869e0f9f4d7df9ebaf5c5707b6
Instruction ID: add53ead10c23e86a62bba4ef2b7fdd734e3f57d9fddd09e803bbc8252bc488c
Opcode Fuzzy Hash: 27a2bd5f7235354bda5fcf49e570d3f834f32b869e0f9f4d7df9ebaf5c5707b6
Instruction Fuzzy Hash: A7314F71A00119AFDB10DF58C885EAA7BF8FF44308F1440A5F505EB252D771ED46CB61

Function 008B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008B4271

Strings

msctls_trackbar32, xrefs: 008B4226

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 83b5ad6f484ef93b7ef1da41fea95d560f311a945cbf8664b9de0d8b5d92276e
Instruction ID: 66a234cac0111ecd3781cbb175ede4ae33041ad85c9263195741122d2eacf367
Opcode Fuzzy Hash: 83b5ad6f484ef93b7ef1da41fea95d560f311a945cbf8664b9de0d8b5d92276e
Instruction Fuzzy Hash: CE11E331240248BEEF205E29CC06FEB3BACFF95B54F110124FA55E2191D271DC519B50

Function 00882F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00826B57: _wcslen.LIBCMT ref: 00826B6A

Part of subcall function 00882DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00882DC5
Part of subcall function 00882DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00882DD6
Part of subcall function 00882DA7: GetCurrentThreadId.KERNEL32 ref: 00882DDD
Part of subcall function 00882DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00882DE4

GetFocus.USER32 ref: 00882F78

Part of subcall function 00882DEE: GetParent.USER32(00000000), ref: 00882DF9

GetClassNameW.USER32(?,?,00000100), ref: 00882FC3
EnumChildWindows.USER32(?,0088303B), ref: 00882FEB

Strings

%s%d, xrefs: 00882FFF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 71ef9bb42f3881abf8525d39eb94674f11e97bcc5d419cfcfd7c41fdea7f35b2
Instruction ID: d256d60ecd7f94594a991b791ece58c5b944e98d3dd8cdde36c915c698f4cda1
Opcode Fuzzy Hash: 71ef9bb42f3881abf8525d39eb94674f11e97bcc5d419cfcfd7c41fdea7f35b2
Instruction Fuzzy Hash: B711E1716002096BCF107F789C85EEE3B6AFF94314F044079F909EB292EE3099498B71

Function 008B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008B58EE
DrawMenuBar.USER32(?), ref: 008B58FD

Strings

0, xrefs: 008B588F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a5bb7973486c15442c293a873e49d2c61c5b38eca173cf63f5849ec071e4bc62
Instruction ID: d0c607240c316fc33d11d3fdb94c2066d99eb69f1250cb732d6d3aeef08256eb
Opcode Fuzzy Hash: a5bb7973486c15442c293a873e49d2c61c5b38eca173cf63f5849ec071e4bc62
Instruction Fuzzy Hash: 62016D31500218EFDB219F15EC44BEEBBB4FF45364F1480AAF949DA261DB308A84DF61

Function 0088007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9085167329cddac9def75ec416aae69377ac367d5adfe28254af1560d4f7f4fc
Instruction ID: 97beef80d0d67a8697d3df95a2c9dbb87790bdb322295f81596c1ba7affa3187
Opcode Fuzzy Hash: 9085167329cddac9def75ec416aae69377ac367d5adfe28254af1560d4f7f4fc
Instruction Fuzzy Hash: 62C17B75A0020AEFDB54DFA8C898AAEB7B5FF48314F208598E505EB251C771EE45CF90

Function 00853E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00853F0B
__alldvrm.LIBCMT ref: 0085410C
__alldvrm.LIBCMT ref: 0085412E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 63a63611879a16d14e5bebd5b67a5cdd269d55f8c1d5826fcaf0c884007a538e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: F9A16872D00B869FDB11CF18C8817AEBBE4FF61399F28416DE985DB282C6348989C751

Function 008A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008A3459
CoUninitialize.OLE32 ref: 008A3463
VariantInit.OLEAUT32(?), ref: 008A346E
VariantClear.OLEAUT32(?), ref: 008A371B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: ef4645c02a88cc4143b27be77986e35f7282d4f48c3cb5cb8f9bc3bf89c349ac
Instruction ID: f26c6da685fd9965d3a8c9739618e6e5dd4b9df45afdd861dc0e743d8a0d4135
Opcode Fuzzy Hash: ef4645c02a88cc4143b27be77986e35f7282d4f48c3cb5cb8f9bc3bf89c349ac
Instruction Fuzzy Hash: 78A16A756043109FDB00DF28C585A2AB7E5FF89714F048859F98AEB762DB70EE41CB92

Function 00880436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008BFC08,?), ref: 008805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008BFC08,?), ref: 00880608
CLSIDFromProgID.OLE32(?,?,00000000,008BCC40,000000FF,?,00000000,00000800,00000000,?,008BFC08,?), ref: 0088062D
_memcmp.LIBVCRUNTIME ref: 0088064E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 43b8ac51efbd5c4e0560e77aafaba2938217317e5088bc1fd53988154cea1261
Instruction ID: 0a24f7332a2419ff640b54d584e3e12f3edf44d0139e4acd909441dc65790732
Opcode Fuzzy Hash: 43b8ac51efbd5c4e0560e77aafaba2938217317e5088bc1fd53988154cea1261
Instruction Fuzzy Hash: F881E971A00209AFCB44DF94C984DEEB7B9FF89315F204558E516EB250DB71AE4ACF60

Function 008AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008AA6BA

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Process32NextW.KERNEL32(00000000,?), ref: 008AA79C
CloseHandle.KERNEL32(00000000), ref: 008AA7AB

Part of subcall function 0083CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00863303,?), ref: 0083CE8A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e1d37d52ee003d8566e9ffe43e99ecae0e9eb468a211fab3084174bc95469566
Instruction ID: d79fa7cd5c941dcbab52c318f560f6e73503adb2bd5cb322a844685075306060
Opcode Fuzzy Hash: e1d37d52ee003d8566e9ffe43e99ecae0e9eb468a211fab3084174bc95469566
Instruction Fuzzy Hash: A0513871508310AFD714EF28D886A6BBBE8FF89754F00492DF585D7252EB30D944CB92

Function 00861391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008614C0

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1f16abced5faf0de8c0b13c09e8ceff5655711907c9f3567e39d924545066faf
Instruction ID: 461ec45e861bedc0956a0550b147e67523cd6314103a700e77da4fc5825e9221
Opcode Fuzzy Hash: 1f16abced5faf0de8c0b13c09e8ceff5655711907c9f3567e39d924545066faf
Instruction Fuzzy Hash: 31411B31A00115ABDF216BBD8C4EABE3AA6FF41370F1E4225F919D7293EE7488415367

Function 008B6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008B62E2
ScreenToClient.USER32(?,?), ref: 008B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008B6382

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5489c915ffaa0b7f0cece7239c2dc839d49da8a3a27ad2938e2f9b25b678f1e3
Instruction ID: a4d3ce094bc08ba82370d565a0ba9bf5c0343f3ae17efbd1c7f9b9111748e2b6
Opcode Fuzzy Hash: 5489c915ffaa0b7f0cece7239c2dc839d49da8a3a27ad2938e2f9b25b678f1e3
Instruction Fuzzy Hash: 35511774A00209EFDB10DF68D8849AE7BB5FB59360F108269F915DB3A0E774AD91CB90

Function 008A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008A1AFD
WSAGetLastError.WSOCK32 ref: 008A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008A1B8A
WSAGetLastError.WSOCK32 ref: 008A1B94

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 54468ef96a3ac8715a43fbc16aec73448b1fbb2b03abfa43d26815667071358c
Instruction ID: 609f34dc537c3c4d6b756774400e204ca66a8b7cc8d1d24f2da2592ea2f3d628
Opcode Fuzzy Hash: 54468ef96a3ac8715a43fbc16aec73448b1fbb2b03abfa43d26815667071358c
Instruction Fuzzy Hash: 9D41A134600210AFEB20AF28D88AF2977E5FB45718F548458F91ADF7D2D772DD828B91

Function 0085B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d93ff2aab919c7b81b877015beecad5241ed2ca17f7365eeec202a97c07068
Instruction ID: 600cebab1bdbe825ef17118a3b5e14019eb932e2c1d40ab6265db895d3e3d5a2
Opcode Fuzzy Hash: c6d93ff2aab919c7b81b877015beecad5241ed2ca17f7365eeec202a97c07068
Instruction Fuzzy Hash: 3A410672A00318AFD7249F7CCC41B6ABBA9FB98711F20452EF941DB282D771D9098781

Function 008956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00895783
GetLastError.KERNEL32(?,00000000), ref: 008957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008957FA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 43d9b0e79f323759a6dce83b3c97c6efaa0f443a24b3807edc42541edb0ce797
Instruction ID: 1be55461fd3fa460a8e95add50c46ac12ea301b04482acea6fb774b006c728e9
Opcode Fuzzy Hash: 43d9b0e79f323759a6dce83b3c97c6efaa0f443a24b3807edc42541edb0ce797
Instruction Fuzzy Hash: 9F41EE35600610DFCB11EF59D545A5EBBE1FF89720B198498E84AAB362CB34FD41CB92

Function 0085D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00846D71,00000000,00000000,008482D9,?,008482D9,?,00000001,00846D71,8BE85006,00000001,008482D9,008482D9), ref: 0085D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0085D9AB
__freea.LIBCMT ref: 0085D9B4

Part of subcall function 00853820: RtlAllocateHeap.NTDLL(00000000,?,008F1444,?,0083FDF5,?,?,0082A976,00000010,008F1440,008213FC,?,008213C6,?,00821129), ref: 00853852

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7df73daeec36bc5a9d7659ad8a6fd9a38b5d44cbdf75567d2249e79387570d77
Instruction ID: 2b5fe8af29625cea84a48777520537c99dc8c913a5a8532a7cc63428d7c28600
Opcode Fuzzy Hash: 7df73daeec36bc5a9d7659ad8a6fd9a38b5d44cbdf75567d2249e79387570d77
Instruction Fuzzy Hash: 5A31B072A0020AABDF24DF69DC45EAE7FA5FB41311B054268FC04EB251EB35CD59CB91

Function 008B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008B5352
GetWindowLongW.USER32(?,000000F0), ref: 008B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008B53A8

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3c84b0b417d6e09e3286f09a87673f99367382deae8d14d401319ff7872f4eb0
Instruction ID: f0300fd892880ef7a98d97b13c5bd26cf0234e3c0b0128c90360a3908f9d6e03
Opcode Fuzzy Hash: 3c84b0b417d6e09e3286f09a87673f99367382deae8d14d401319ff7872f4eb0
Instruction Fuzzy Hash: AD319E34A55A0CEFEB309A14CC55FE977E5FB0E390F584102BA11D63E1C7B5A9809B52

Function 0088AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0088ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0088AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0088AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0088ACC6

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f15e64a07d736e7e4dc65a548028dfb294c5ef3a32e493dac38c5829b4ec079d
Instruction ID: ee4283295170c4ace7978267ea78aad2518f7cf72f291125d941fa5f74e83b54
Opcode Fuzzy Hash: f15e64a07d736e7e4dc65a548028dfb294c5ef3a32e493dac38c5829b4ec079d
Instruction Fuzzy Hash: 8731F470A40618AFFB39AB69C804BFA7BA7FB89310F08431BE485E21D1C37599858752

Function 008B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008B769A
GetWindowRect.USER32(?,?), ref: 008B7710
PtInRect.USER32(?,?,008B8B89), ref: 008B7720
MessageBeep.USER32(00000000), ref: 008B778C

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c45055e7863b4f01507cb4944725e14525a1d8a32594a8a1aeaad75162d76109
Instruction ID: b57d631b1348e9600e345803998ee89deef4bd6b187af3fe26bcee1ddffe6ee7
Opcode Fuzzy Hash: c45055e7863b4f01507cb4944725e14525a1d8a32594a8a1aeaad75162d76109
Instruction Fuzzy Hash: 11418934A09354DFDB11CF68C898EE9BBF4FB99304F1541A8E815DB361CB70A941CB90

Function 008B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008B16EB

Part of subcall function 00883A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00883A57
Part of subcall function 00883A3D: GetCurrentThreadId.KERNEL32 ref: 00883A5E
Part of subcall function 00883A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008825B3), ref: 00883A65

GetCaretPos.USER32(?), ref: 008B16FF
ClientToScreen.USER32(00000000,?), ref: 008B174C
GetForegroundWindow.USER32 ref: 008B1752

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 73ff15e8bd002f8c760c4106c77059e260bd641c5f30dc87514c3ffb5385b50e
Instruction ID: 3e0bea035d906cbf4e32e67c3160e62859b550625f9d459b113342bafd094e56
Opcode Fuzzy Hash: 73ff15e8bd002f8c760c4106c77059e260bd641c5f30dc87514c3ffb5385b50e
Instruction Fuzzy Hash: D7316F71D00159AFCB00EFA9D885CEEBBF9FF48304B5080A9E415E7211EB319E45CBA1

Function 0088DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00827620: _wcslen.LIBCMT ref: 00827625

_wcslen.LIBCMT ref: 0088DFCB
_wcslen.LIBCMT ref: 0088DFE2
_wcslen.LIBCMT ref: 0088E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0088E018

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 88567dfe03fe71501bef8eeaa7b9952d01a838412ecae6ec6dbd518e24613d01
Instruction ID: 855a7b04a5d7381115fee436a4faf0147305fc0ddfb3cc0c42d7e1dc64cf9b86
Opcode Fuzzy Hash: 88567dfe03fe71501bef8eeaa7b9952d01a838412ecae6ec6dbd518e24613d01
Instruction Fuzzy Hash: F821D371900618AFCB10EFA8D881B6EBBF8FF45750F104065E904FB286DA709E41CBE2

Function 008B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

GetCursorPos.USER32(?), ref: 008B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00877711,?,?,?,?,?), ref: 008B9016
GetCursorPos.USER32(?), ref: 008B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00877711,?,?,?), ref: 008B9094

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: fd47ff73b36a0e18a4fbcaf062d42661647906020793a67eada34099f792c63c
Instruction ID: 9a1167df6578cf52f5d6e71409125919cb14cb8d70ef43f18bbc45c8cd83a9ed
Opcode Fuzzy Hash: fd47ff73b36a0e18a4fbcaf062d42661647906020793a67eada34099f792c63c
Instruction Fuzzy Hash: 76219F35600418EFCB259FA4C898EFA7BF9FB8A360F044165FA4587262D3719951DBA0

Function 0088D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008BCB68), ref: 0088D2FB
GetLastError.KERNEL32 ref: 0088D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0088D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008BCB68), ref: 0088D376

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ed0ed07d8a77829bd2820639c70a4236ffe9e8892e76323bdd57f64c1ffb6002
Instruction ID: 04cf3059233d0695b966763cf5b6de8f0a0c1f5d846418a7bc33fbd9c0e9eae7
Opcode Fuzzy Hash: ed0ed07d8a77829bd2820639c70a4236ffe9e8892e76323bdd57f64c1ffb6002
Instruction Fuzzy Hash: 94215C705093019F8710EF28D8818AEB7E4FE5A364F504A2DF4A9C73E1E7319946CB93

Function 00881571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00881014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0088102A
Part of subcall function 00881014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00881036
Part of subcall function 00881014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00881045
Part of subcall function 00881014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0088104C
Part of subcall function 00881014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00881062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008815BE
_memcmp.LIBVCRUNTIME ref: 008815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00881617
HeapFree.KERNEL32(00000000), ref: 0088161E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a76a77a00e4946088e7e3d9f981742f0e2778bf5e7a7799535bf1177b54a586f
Instruction ID: 8683abfe7c29d669094ce87dc538a2c24780d2667ebc96d62fb76e307f553cbb
Opcode Fuzzy Hash: a76a77a00e4946088e7e3d9f981742f0e2778bf5e7a7799535bf1177b54a586f
Instruction Fuzzy Hash: 1F212771E40109AFDF10EFA4C949BEEB7B8FF54354F184459E441EB241EB30AA46CBA0

Function 008B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008B2840

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d2d98cb2313bea6ac12fea3ff7a37a67ad76466e47176d2706961c03b882e148
Instruction ID: b7f371e5106fc49609008362dac242447d7a42a056a2002ca0c31d168ac7f3a4
Opcode Fuzzy Hash: d2d98cb2313bea6ac12fea3ff7a37a67ad76466e47176d2706961c03b882e148
Instruction Fuzzy Hash: 02219D31205525AFD7249B28C845FAA7B99FF85324F148258F426CB7E2CB71FC82CB95

Function 008878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00888D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0088790A,?,000000FF,?,00888754,00000000,?,0000001C,?,?), ref: 00888D8C
Part of subcall function 00888D7D: lstrcpyW.KERNEL32(00000000,?,?,0088790A,?,000000FF,?,00888754,00000000,?,0000001C,?,?,00000000), ref: 00888DB2
Part of subcall function 00888D7D: lstrcmpiW.KERNEL32(00000000,?,0088790A,?,000000FF,?,00888754,00000000,?,0000001C,?,?), ref: 00888DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00888754,00000000,?,0000001C,?,?,00000000), ref: 00887923
lstrcpyW.KERNEL32(00000000,?,?,00888754,00000000,?,0000001C,?,?,00000000), ref: 00887949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00888754,00000000,?,0000001C,?,?,00000000), ref: 00887984

Strings

cdecl, xrefs: 0088797B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4171de89c5253034ab1711e49f072f2308cfd5e880dee8088bbe9a0a0f78a3a3
Instruction ID: 6f916404bb4b55d4f46d60b5839c0aca88bccadf907875bedf495534fe6a1b3b
Opcode Fuzzy Hash: 4171de89c5253034ab1711e49f072f2308cfd5e880dee8088bbe9a0a0f78a3a3
Instruction Fuzzy Hash: 4C11D63A200242ABCB15AF39DC45D7A7BB9FF85390B50402AF946CB365EF35D811C791

Function 008B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0089B7AD,00000000), ref: 008B7D6B

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0d62e2eb6550314341803c30b8961074c3e23cfd221772c87c8eda7d9dc110c5
Instruction ID: 1731765e1dab2754a1dcdb9eff1e835c18cc8c54edee9b99095129e9ebb0c667
Opcode Fuzzy Hash: 0d62e2eb6550314341803c30b8961074c3e23cfd221772c87c8eda7d9dc110c5
Instruction Fuzzy Hash: 0B115E31615615AFCB109F68CC08EB63BA5FF853A0B254728F939D72F0D7319951DB90

Function 008B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008B56BB
_wcslen.LIBCMT ref: 008B56CD
_wcslen.LIBCMT ref: 008B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008B5816

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 38b9c6eb660ba3546abea8e24c84bf3172293ecd70d48751b316ec55cff9b590
Instruction ID: 9de7ecd980983234982ae3549f0e23dce005beebc75b7678233f101b6266311b
Opcode Fuzzy Hash: 38b9c6eb660ba3546abea8e24c84bf3172293ecd70d48751b316ec55cff9b590
Instruction Fuzzy Hash: 5911D671600608AADF209F65DC85BEE7B6CFF21764F104126F915D6281EB70C984CB64

Function 00851D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc34b9e86ac840211c13122c90d39210a814aca72a8a019d5799dd513ae2059
Instruction ID: db2082b1d874dae082b9e6a711f30f8c32cb7518164edfc03956ccc40104283f
Opcode Fuzzy Hash: 6bc34b9e86ac840211c13122c90d39210a814aca72a8a019d5799dd513ae2059
Instruction Fuzzy Hash: 5D01A2B220561A3EFA21267C6CC4F676B2CFF813BAB300325FD31E11D2DB608C485160

Function 00881A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00881A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00881A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00881A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00881A8A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ad04c9151f2d5ebadb7af7a48a8796abf20730c3bf1419087ad3405f0253b27c
Instruction ID: 9fd7d22daeacdad5c0b0fa8c03e3d91a168be60a0329cdad7b269347885ce8b1
Opcode Fuzzy Hash: ad04c9151f2d5ebadb7af7a48a8796abf20730c3bf1419087ad3405f0253b27c
Instruction Fuzzy Hash: C0112A3A901229FFEF109BA4C985FADBB78FB08750F200091E610B7290DB716E51DB94

Function 0088E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0088E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0088E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0088E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0088E24D

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 97c1c20d3ab79fe6a46c755c7b24660bd84f967cd210d449b536c2bd76b85b5c
Instruction ID: dbae3424a967e7bf2832d14a5a313dd19f510d7c8522991f8bdd3ad44dce13a0
Opcode Fuzzy Hash: 97c1c20d3ab79fe6a46c755c7b24660bd84f967cd210d449b536c2bd76b85b5c
Instruction Fuzzy Hash: B711A176904258ABCB01AFA89C09AAA7BADFB45320F144265F924E3391D7B4990487A0

Function 0084D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0084CFF9,00000000,00000004,00000000), ref: 0084D218
GetLastError.KERNEL32 ref: 0084D224
__dosmaperr.LIBCMT ref: 0084D22B
ResumeThread.KERNEL32(00000000), ref: 0084D249

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bc015fb32e98a0440f7f7ab1e0298b520d865946beb842908bedcf3509878cb1
Instruction ID: 9ad3e2bcb0151905e8fe88898823c0817ac4089081abaec9b3304ea40cbfd1c0
Opcode Fuzzy Hash: bc015fb32e98a0440f7f7ab1e0298b520d865946beb842908bedcf3509878cb1
Instruction Fuzzy Hash: 2D01C03680532CBBCB115BA9DC09AAA7BA9FF81331F104229F925D21D1CBB0990186A1

Function 008B9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00839BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00839BB2

GetClientRect.USER32(?,?), ref: 008B9F31
GetCursorPos.USER32(?), ref: 008B9F3B
ScreenToClient.USER32(?,?), ref: 008B9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 008B9F7A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d9cbbdaa372bef1d629e5797d7a2fe6eaec2584df3520fd321af5fa4d612fe28
Instruction ID: 75b3dbf1b189515e24738d77c5c6ef6e92d37e476002a2866b083bafc8b6d370
Opcode Fuzzy Hash: d9cbbdaa372bef1d629e5797d7a2fe6eaec2584df3520fd321af5fa4d612fe28
Instruction Fuzzy Hash: F711063290011AABDB10DFA8D889DFE77B9FB46321F400555FA51E3251DB70BA85CBA1

Function 0082600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0082604C
GetStockObject.GDI32(00000011), ref: 00826060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0082606A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 26d39531759b77d9d333f1bee6eec00df3e5518e5f18e59206786369ea384e3a
Instruction ID: 044f76c538e66f8eaba2bfefdc8af2fe6dc387fa5ded41b29b9084f5e7d20536
Opcode Fuzzy Hash: 26d39531759b77d9d333f1bee6eec00df3e5518e5f18e59206786369ea384e3a
Instruction Fuzzy Hash: 6E116172501958FFEF124FA49C44EEA7BA9FF19364F040215FA14A6110D732DCA0EBA0

Function 00843B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00843B56

Part of subcall function 00843AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00843AD2
Part of subcall function 00843AA3: ___AdjustPointer.LIBCMT ref: 00843AED

_UnwindNestedFrames.LIBCMT ref: 00843B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00843B7C
CallCatchBlock.LIBVCRUNTIME ref: 00843BA4

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 860cd67bcc5fc6585e1d4e2c4904b6b6bce57210da7ee3a1e43f6df3d89cc469
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B001E93210014DBBDF12AE99CC46EEB7B69FF58764F044115FE48A6121C732E961DBA1

Function 00853073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008213C6,00000000,00000000,?,0085301A,008213C6,00000000,00000000,00000000,?,0085328B,00000006,FlsSetValue), ref: 008530A5
GetLastError.KERNEL32(?,0085301A,008213C6,00000000,00000000,00000000,?,0085328B,00000006,FlsSetValue,008C2290,FlsSetValue,00000000,00000364,?,00852E46), ref: 008530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0085301A,008213C6,00000000,00000000,00000000,?,0085328B,00000006,FlsSetValue,008C2290,FlsSetValue,00000000), ref: 008530BF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7b20dc23ba3f385e532265bc2c970157633bbcb11ea9f436dec75cdcdd90adea
Instruction ID: 1322da0947390009349a36dd96e96f18841a668422d916e13e1a53011e3d84f2
Opcode Fuzzy Hash: 7b20dc23ba3f385e532265bc2c970157633bbcb11ea9f436dec75cdcdd90adea
Instruction Fuzzy Hash: 74018432751B26ABCB214A799C849677B99FF45BE2B210724FD05E71C0D721D909C6E0

Function 00887464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0088747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00887497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008874CA

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9e7bf33b500f9dc702a81be73425cfdae2fb16926efa0438f37d90f1f3ab969f
Instruction ID: b7327ca3633220f036a05555d1f1da4b26d269041434b7ec46660e07fcc3dff2
Opcode Fuzzy Hash: 9e7bf33b500f9dc702a81be73425cfdae2fb16926efa0438f37d90f1f3ab969f
Instruction Fuzzy Hash: 9411ADB1209315ABE720AF54DC08B927FFCFF00B14F208569E656D6191D7B0E944DBA4

Function 0088B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0088ACD3,?,00008000), ref: 0088B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0088ACD3,?,00008000), ref: 0088B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0088ACD3,?,00008000), ref: 0088B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0088ACD3,?,00008000), ref: 0088B126

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 051665dcca04c66cee9c1c5ce72e3ffd3111768e82dfbd6c4f32b35773cb8cb4
Instruction ID: 609aff478b10aba4bec14e7e1390e32739eca56db7753879d6f9f031639ffda3
Opcode Fuzzy Hash: 051665dcca04c66cee9c1c5ce72e3ffd3111768e82dfbd6c4f32b35773cb8cb4
Instruction Fuzzy Hash: 7F113931C0192DE7CF00EFE8E9986EEBF78FF89711F104186D981B6281DB3056508B51

Function 008B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008B7E33
ScreenToClient.USER32(?,?), ref: 008B7E4B
ScreenToClient.USER32(?,?), ref: 008B7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B7E8A

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: af2012305c7c2efab1343867d6d4f3bd2269f90d6e348e361d4d6f0dbb12d0b7
Instruction ID: 41bf77724d1be5171bd26f83684333d649c91670526c7ddad43e324beb1a6632
Opcode Fuzzy Hash: af2012305c7c2efab1343867d6d4f3bd2269f90d6e348e361d4d6f0dbb12d0b7
Instruction Fuzzy Hash: BF1153B9D0020AAFDB41CF98C884AEEBBF9FF18310F509166E915E3210D735AA54CF90

Function 00882DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00882DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00882DD6
GetCurrentThreadId.KERNEL32 ref: 00882DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00882DE4

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6fd7045cda70b09ac0a0288c31e4913af639515124c8ededa2dab17973dae85d
Instruction ID: d361ba70ac15ac93601e966b30fb5d8830e8b7c083019c1c8ce420bcef561c84
Opcode Fuzzy Hash: 6fd7045cda70b09ac0a0288c31e4913af639515124c8ededa2dab17973dae85d
Instruction Fuzzy Hash: A2E0EDB25012287BD7202B669C0DEEB7F6CFB57BA1F400219B506D10919AA58941C6B0

Function 008B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00839639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00839693
Part of subcall function 00839639: SelectObject.GDI32(?,00000000), ref: 008396A2
Part of subcall function 00839639: BeginPath.GDI32(?), ref: 008396B9
Part of subcall function 00839639: SelectObject.GDI32(?,00000000), ref: 008396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008B8887
LineTo.GDI32(?,?,?), ref: 008B8894
EndPath.GDI32(?), ref: 008B88A4
StrokePath.GDI32(?), ref: 008B88B2

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7663632c4b0b43b123d9bad2bf50b5c332040f116acbae2794b2d2b489af7072
Instruction ID: 92efc95ddd744e6afab2e0e25ed55151570635d51c199f6074829b0d8b6e77e6
Opcode Fuzzy Hash: 7663632c4b0b43b123d9bad2bf50b5c332040f116acbae2794b2d2b489af7072
Instruction Fuzzy Hash: DEF03A36141659FBDB126F94AC0EFDA3F59BF06310F448100FA11A51E1C7B55511CFE5

Function 008398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008398CC
SetTextColor.GDI32(?,?), ref: 008398D6
SetBkMode.GDI32(?,00000001), ref: 008398E9
GetStockObject.GDI32(00000005), ref: 008398F1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 40cf4a48327574a5e7272b0ec94a61dfadfbb7f5a126ff54433dc8cd3673e794
Instruction ID: b9d149f774861eaeaf2527dd6ae772b7d7b0e89d649a3fe498e4a51d5c65e666
Opcode Fuzzy Hash: 40cf4a48327574a5e7272b0ec94a61dfadfbb7f5a126ff54433dc8cd3673e794
Instruction Fuzzy Hash: 02E06D31244280AADB215B78AC09BE93F20FB52336F04C319F6FAA80E1C3718640DB20

Function 0088162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00881634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008811D9), ref: 0088163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008811D9), ref: 00881648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008811D9), ref: 0088164F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2977b8db703198e78700062753922ac5c5c06f9e25b41bba212767aa0d8df92c
Instruction ID: 7ba43fa20a4ee167c5dc9162f8538170d7f2f7582e1c3f5935dea156faf6f958
Opcode Fuzzy Hash: 2977b8db703198e78700062753922ac5c5c06f9e25b41bba212767aa0d8df92c
Instruction Fuzzy Hash: 56E08631641211DBDB202FA19D0DB863B7CFF58791F184918F285C9080EA344442C760

Function 0087D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0087D858
GetDC.USER32(00000000), ref: 0087D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0087D882
ReleaseDC.USER32(?), ref: 0087D8A3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9274509d0aad12867ae37c70cd8a5baae0b3a5cc5f99c7165bea72d27ca4f33e
Instruction ID: 5f7f0978f0d4d4b2bdd2c2533df45ff02f3df16d141c0e15d43f5cf634ea82ca
Opcode Fuzzy Hash: 9274509d0aad12867ae37c70cd8a5baae0b3a5cc5f99c7165bea72d27ca4f33e
Instruction Fuzzy Hash: B3E01AB4C00208DFCB41AFA4D908A6DBBB1FB58310F148519E806E7250CB389941AF51

Function 0087D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0087D86C
GetDC.USER32(00000000), ref: 0087D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0087D882
ReleaseDC.USER32(?), ref: 0087D8A3

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a5d6fa7bed626dee6bbe1e5290fa5fddfab0ad1616288231c126edc1b0c5c4d9
Instruction ID: d059abfb91f278682e2b2024eddf8d657eb4660df3a84e52821db69ceaa0c554
Opcode Fuzzy Hash: a5d6fa7bed626dee6bbe1e5290fa5fddfab0ad1616288231c126edc1b0c5c4d9
Instruction Fuzzy Hash: 21E046B4C00204EFCF50AFA8E80CA6DBBB1FB58310F108508F80AE7350CB385902AF90

Function 00894D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00827620: _wcslen.LIBCMT ref: 00827625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00894ED4

Strings

*, xrefs: 00894E10
LPT, xrefs: 00894DFB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2fdb5cf6367fb1594ea6e54a02ff21b1f7e776c22db5dcec2e79a248da2c7d4a
Instruction ID: ff051cf834ca83092635cbb66bcb63e3dfdd7ec33990f6433db964b005e7955b
Opcode Fuzzy Hash: 2fdb5cf6367fb1594ea6e54a02ff21b1f7e776c22db5dcec2e79a248da2c7d4a
Instruction Fuzzy Hash: 0C915F75A002159FCB14EF58C484EAABBF1FF44318F189099E40A9F762DB35ED86CB91

Function 0084E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0084E30D

Strings

pow, xrefs: 0084E2E5, 0084E302

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 165107a8b808bb37ebc09034354bdf0a1c5668aa17064c56175bfdc09b7bdff4
Instruction ID: 3822686646e65efe9cd497dc6973e60107725bc6dde450ba0bdab027b89c5840
Opcode Fuzzy Hash: 165107a8b808bb37ebc09034354bdf0a1c5668aa17064c56175bfdc09b7bdff4
Instruction Fuzzy Hash: 97515F71A0C20996CB167B18E9427793BB4FB40B42F30C9A8F8D5C23EDDF358C899646

Function 0083E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0083E1B1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ffb453376ca34024ab0f401798603564514e1774f84cfa8bb093e2f4626deea9
Instruction ID: 3e1cc4ff526ac4d43b4cbf3c442be1c4498bd1ad56367afe2a307c27a8da34b9
Opcode Fuzzy Hash: ffb453376ca34024ab0f401798603564514e1774f84cfa8bb093e2f4626deea9
Instruction Fuzzy Hash: CF51233550024ADFDF19DF68C081ABA7BA8FF69310F2480A5F895DB2D4D634DD52CBA1

Function 0083F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0083F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0083F2BB

Strings

@, xrefs: 0083F2AF

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b1dd33a6173cf0842549aa33d5e092232d98f2f24acc92857fc6a6a6c1e31eae
Instruction ID: 940ef99dfdc94f00697064833349ce4dcc5ebdbcbcb4a119ff294c63f1d779fd
Opcode Fuzzy Hash: b1dd33a6173cf0842549aa33d5e092232d98f2f24acc92857fc6a6a6c1e31eae
Instruction Fuzzy Hash: 57513871418B449BD320AF55E886BAFBBF8FF84300F81885DF19981195EF708969CB67

Function 008A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008A57E0
_wcslen.LIBCMT ref: 008A57EC

Strings

CALLARGARRAY, xrefs: 008A57E6, 008A57EB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3f4310b218911810793aba94c1509dcecbfbf888af71c227ce92b910cc762899
Instruction ID: e7e16f196a98526605538c4c34014f0a2a75b261540fe56a7ceb572a7e86cc5c
Opcode Fuzzy Hash: 3f4310b218911810793aba94c1509dcecbfbf888af71c227ce92b910cc762899
Instruction Fuzzy Hash: 8C419031E002099FDB14DFA9C8819BEBBB5FF5A724F144069E505E7352EB349D81CBA1

Function 0089D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0089D13A

Strings

|, xrefs: 0089D10B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e4b7934a8a59ac8be74c978c60e607f8fdfbaca67285d8339a9730691b0e31ef
Instruction ID: 225912ede53b100d9c2eb66e6c4afa991fc92aaaf28f0b336c1e1891b065367b
Opcode Fuzzy Hash: e4b7934a8a59ac8be74c978c60e607f8fdfbaca67285d8339a9730691b0e31ef
Instruction Fuzzy Hash: 1E313875D01219ABCF15EFA8DC85AEEBFB9FF04300F140019F815A6162EB31AA56CB65

Function 008B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008B365C

Strings

static, xrefs: 008B35BC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1c123c00fbc0327a871f1f124a19efc62fb6348cf05a9a9febbf6f9d0c6f7fc2
Instruction ID: 222d63a2c02b08de2e1340759d309061d7db65e50889f5a86b3dac59c0cdc6dd
Opcode Fuzzy Hash: 1c123c00fbc0327a871f1f124a19efc62fb6348cf05a9a9febbf6f9d0c6f7fc2
Instruction Fuzzy Hash: AC319A71110608AEDB24DF38DC80EFB73A9FF99724F008619F8A5D7290DA30AD91DB60

Function 008B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 008B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008B4634

Strings

', xrefs: 008B458E

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d51a50c21c4c2eefb9538732532845842311fdfd6e507265ee13baa1d5f4ff1a
Instruction ID: 08bbe90ebafeb51fc40c31cd851e29c069d34ecd6db28b53167a0bb0f3b41d5a
Opcode Fuzzy Hash: d51a50c21c4c2eefb9538732532845842311fdfd6e507265ee13baa1d5f4ff1a
Instruction Fuzzy Hash: D6313874A0061A9FDF14CFA9C981BEABBB5FF19300F10516AE904EB352D770A941CF90

Function 008B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008B3287

Strings

Combobox, xrefs: 008B3249

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: da317c9af60543a63dca742ce45b07b67eac989fc55bdc87ebb9c3cfcde88881
Instruction ID: 2739738d3338af87d9e7cfd10cf9f50c47458bc2c090c6b68c36854586868bd2
Opcode Fuzzy Hash: da317c9af60543a63dca742ce45b07b67eac989fc55bdc87ebb9c3cfcde88881
Instruction Fuzzy Hash: 2B11B271300208BFEF219E98DC85EFB376AFB993A5F104228F918E7390D6719D518760

Function 008B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0082600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0082604C
Part of subcall function 0082600E: GetStockObject.GDI32(00000011), ref: 00826060
Part of subcall function 0082600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0082606A

GetWindowRect.USER32(00000000,?), ref: 008B377A
GetSysColor.USER32(00000012), ref: 008B3794

Strings

static, xrefs: 008B3757

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9df6982538b6602eca067a24adee983519a1c117bbee84a143fbbdb211e7200f
Instruction ID: 9e06698028e1a1aeb7df9e767eab391d8321a7b756aefba69b7ce92122bc4edc
Opcode Fuzzy Hash: 9df6982538b6602eca067a24adee983519a1c117bbee84a143fbbdb211e7200f
Instruction Fuzzy Hash: BB1129B2610209AFDF00DFA8CC45EFA7BB8FB08354F004624F955E2250EB35E851DB60

Function 0089CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0089CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0089CDA6

Strings

<local>, xrefs: 0089CD66

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6a5be7330560c7d50e9c3a1b50a602a2cb6fd329c16e66a263f0ae425148ee38
Instruction ID: 407a114bbad1595c458ae3c4b76d511d91b2d66a2c02cbc2899940a48e82301b
Opcode Fuzzy Hash: 6a5be7330560c7d50e9c3a1b50a602a2cb6fd329c16e66a263f0ae425148ee38
Instruction Fuzzy Hash: 1F11C6B1205635BEDB345B668C45EE7BE6CFF127A8F144226B109C3180D7759840D6F0

Function 008B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008B34BA

Strings

edit, xrefs: 008B348F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a4a0e823911dc9f662692de1a68d9758f80e222ea87d9b8b8b078737cc456054
Instruction ID: b5446d6e13f7988d80c94136ecd52e7efddf96df45fffa94f90cc9ea69f2e661
Opcode Fuzzy Hash: a4a0e823911dc9f662692de1a68d9758f80e222ea87d9b8b8b078737cc456054
Instruction Fuzzy Hash: 59118F71100108ABEB218E68DC44AFB3B6AFF25378F504324F961D32D0C771DD519758

Function 00886C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

CharUpperBuffW.USER32(?,?,?), ref: 00886CB6
_wcslen.LIBCMT ref: 00886CC2

Strings

STOP, xrefs: 00886CBC, 00886CC1

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3c77fe85e0a617dfcee14caeffd3930fe4a06297008d0253e5c9d945c0ee5f0d
Instruction ID: 0b7ba18655c75195485f27c7ddc4b91df8c5bbd25dce59af4b00115848e99a29
Opcode Fuzzy Hash: 3c77fe85e0a617dfcee14caeffd3930fe4a06297008d0253e5c9d945c0ee5f0d
Instruction Fuzzy Hash: 2F01C032A1052A8BCB21BFFDDC809BF77A6FF61714B110538E862D6191FA32D960C751

Function 00881CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00881D4C

Strings

ListBox, xrefs: 00881D16
ComboBox, xrefs: 00881CEB

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5ec1940cb8852b8960f46bc2eee15736a55597580dd8b9bea1af2ad55b889638
Instruction ID: 8b445cd513807c23668fa28becf9df820a6224268b700b22751d5e03fba47881
Opcode Fuzzy Hash: 5ec1940cb8852b8960f46bc2eee15736a55597580dd8b9bea1af2ad55b889638
Instruction Fuzzy Hash: 6D019E75601228AB8B08BBA8DD559FE73A8FB56360F040619F862E72C1EE30590987A1

Function 00881BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00881C46

Strings

ListBox, xrefs: 00881C10
ComboBox, xrefs: 00881BE5

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8175e6f196900c4a6ee777c7e585b36f0e7a9633e49dfe35fc406be709e4d147
Instruction ID: 3e404fd1ba2e892d714534d059b90cbe2b17d841c75d0bb84faf8215047ba802
Opcode Fuzzy Hash: 8175e6f196900c4a6ee777c7e585b36f0e7a9633e49dfe35fc406be709e4d147
Instruction Fuzzy Hash: 9701D4B5A8011866CF04FB94DA559FF73ADFB12340F140029E456E3281EE209B0987B2

Function 00881C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00881CC8

Strings

ListBox, xrefs: 00881C94
ComboBox, xrefs: 00881C69

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f0b27b5b81d41c5d5e1ae967e6a105b089a5aef492f6072aa85ed7e60d58a934
Instruction ID: f9c9d4ed807a2474724b3a275555bcfc7c809f120ff06c5e7aee524e63e1f9c8
Opcode Fuzzy Hash: f0b27b5b81d41c5d5e1ae967e6a105b089a5aef492f6072aa85ed7e60d58a934
Instruction Fuzzy Hash: 2E01A2B5A8011867CF14FBA9DA15AFE73ADFB12340F140025B842F3282EE609F098772

Function 00881D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829CB3: _wcslen.LIBCMT ref: 00829CBD

Part of subcall function 00883CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00883CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00881DD3

Strings

ListBox, xrefs: 00881DA0
ComboBox, xrefs: 00881D75

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8872d9dc27bc1b59b7cdcabafcecd688239d80b40bf30d96c6b1784905a121ac
Instruction ID: 46ed2eebe5d8dc1c7c4280d06c42bc6119e8a7c591d43494cfbfc664b8054715
Opcode Fuzzy Hash: 8872d9dc27bc1b59b7cdcabafcecd688239d80b40bf30d96c6b1784905a121ac
Instruction Fuzzy Hash: 0EF0A4B1A4122867DB04F7A8DD56FFE776CFB02754F040929F862E32C2DE605A098361

Function 008A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A7493
_wcslen.LIBCMT ref: 008A74B9

Strings

3, 3, 16, 1, xrefs: 008A7483

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b5470d66c2f3b57e0382fde06b86386a9c155be9882352de3a85efc2b4fd1353
Instruction ID: 0ac09dc48ea09b80e603cffed52da8084071a1521be2f81a3bd59c1a7711c9b7
Opcode Fuzzy Hash: b5470d66c2f3b57e0382fde06b86386a9c155be9882352de3a85efc2b4fd1353
Instruction Fuzzy Hash: 9AE02B0221622010E231127E9CC1A7F5F8DFFCF750710282BFA81C2276EE948D92B3A6

Function 00880B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00880B23

Strings

Error allocating memory., xrefs: 00880B1C
AutoIt, xrefs: 00880B17

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 00f5bc9c41a6f9f3e539ac11ef9ed49a955adc061f19368ef5362063f37f6b71
Instruction ID: d91b28166b0bd6b495e3ba78a487e4400069b8f9889806d0735f5d9e15f68380
Opcode Fuzzy Hash: 00f5bc9c41a6f9f3e539ac11ef9ed49a955adc061f19368ef5362063f37f6b71
Instruction Fuzzy Hash: AAE048322843582BD21436997C07FC9BF84FF05B65F100426FB98D96D38AE1649056EA

Function 00840D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0083F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00840D71,?,?,?,0082100A), ref: 0083F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0082100A), ref: 00840D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0082100A), ref: 00840D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00840D7F

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7911cde9b977f91601b4dcabab3c37ce19af9f86804670f50c745c7bd6c7f93a
Instruction ID: d5f0e3309d52160647f70587520ad56b87147e71f048cff644b578cfd1c12a6b
Opcode Fuzzy Hash: 7911cde9b977f91601b4dcabab3c37ce19af9f86804670f50c745c7bd6c7f93a
Instruction Fuzzy Hash: 3DE0ED746007518BD7609FBCE8487577BE4FF04744F004A2DE696C6752DBB5E4488FA1

Function 00893017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0089302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00893044

Strings

aut, xrefs: 00893038

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a7f808704a4f461f9186809402f1a9b486abe6c1ba7008f496a8dfbccce67b50
Instruction ID: 9e57274a449e183c4b5b34e61760ed134b106ed9a64024cf272629444f85d975
Opcode Fuzzy Hash: a7f808704a4f461f9186809402f1a9b486abe6c1ba7008f496a8dfbccce67b50
Instruction Fuzzy Hash: 05D05E7290032867DA20A7A5AC0EFCB3B6CEB05750F0002A1B755E2091EAB49984CBE0

Function 0087D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0087D220

Strings

X64, xrefs: 0087D2A8
%.3d, xrefs: 0087D22B

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e4e8bc8adf7b33b66f4704b0cd680829af33ee8db0099a137a4812f53ae58d14
Instruction ID: 1d45eaf7ef52c448fb3b19089c05e74412217afc4fc739756251175e7971657f
Opcode Fuzzy Hash: e4e8bc8adf7b33b66f4704b0cd680829af33ee8db0099a137a4812f53ae58d14
Instruction Fuzzy Hash: FFD012A1C1830CEACF9096D0DC458B9B37CFF58305F90C452F90AE1046D624E50967A1

Function 008B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008B233F

Part of subcall function 0088E97B: Sleep.KERNEL32 ref: 0088E9F3

Strings

Shell_TrayWnd, xrefs: 008B2325

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 252f528e9ea8276b4a21d1d7d58d52d8c19681df5283bbf8c88b3d87a0dec883
Instruction ID: 6e2c4fae4359e7b272907ced3782c1e27ec842b36aa068a63da3f632ac55302a
Opcode Fuzzy Hash: 252f528e9ea8276b4a21d1d7d58d52d8c19681df5283bbf8c88b3d87a0dec883
Instruction Fuzzy Hash: B6D0A932380300B6E2A4BB309C0FFD66B04BB10B00F004A06B295EA1D0D8E0A8018A00

Function 008B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008B236C
PostMessageW.USER32(00000000), ref: 008B2373

Part of subcall function 0088E97B: Sleep.KERNEL32 ref: 0088E9F3

Strings

Shell_TrayWnd, xrefs: 008B2365

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2f55f05371fefa6f6ab674e97ad9003c9cc1bee8f35ebbce59ef43b0b40d5ab9
Instruction ID: 6cbdbcb68faf16da463f0ef09c94f7a40fdb0a1af8595fbc952368aad6f893d7
Opcode Fuzzy Hash: 2f55f05371fefa6f6ab674e97ad9003c9cc1bee8f35ebbce59ef43b0b40d5ab9
Instruction Fuzzy Hash: DCD0C9323C13517AE6A4BB719C4FFD66B14BB15B10F004A16B695EA1D0D9E4A8418A54

Function 0085BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0085BE93
GetLastError.KERNEL32 ref: 0085BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085BEFC

Memory Dump Source

Source File: 00000000.00000002.2013734098.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2013720983.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013783432.00000000008E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013823580.00000000008EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013839341.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e57527599d0df0760ed90ed7262210d8a6d8a99735ba989fae5ea852463e4d53
Instruction ID: 65b62f49b95b8bd6952023ff24254be5dbbce39a005a691a67ddc6c39acf0f25
Opcode Fuzzy Hash: e57527599d0df0760ed90ed7262210d8a6d8a99735ba989fae5ea852463e4d53
Instruction Fuzzy Hash: 0B41D43460021AAFCF218FA9CC45ABABBA5FF61312F144169FD59D71A1DF308D09CB61

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1657688464&timestamp=1727774586939 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=coBcBVG9IM4bv2qWDEh-GzhsCax3AiA8AzVmH3vx3q0oxqIfE60rDRsvmuQfahm_0DCyjVs2AFhgBL3toiLFVNwmwUdenTcD7-1YTlXIn-D75Uw0T74U07bwIGfuRzC4jB63u9pmozzjZ3ZZJHWyDweE2ziQigr7RdpK5XoACwCnaq4VAFc
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Xs4WY7FdaVPvhWh&MD=wOc4etHu HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Xs4WY7FdaVPvhWh&MD=wOc4etHu HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Windows Analysis Report
file.exe

Function 008242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00862BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0088D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0088DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 008AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00822CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0086065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0082344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre